Browse Source

Simplify composite check strings for project personas

This commit adds two check strings to cinder's base policies that
simplify project personas.

The is_admin_project check isn't used in the admin_or_owner rule. The
is_admin property of the context object actually evaluates to
context_is_admin, which just checks if 'admin' is in context.roles.

This check string simplies the indirection. Future patches will likely
change many of the admin_or_owner checks to support system-scope, which
will require modifications to the existing deprecated defaults.

The other thing this change does is include project-reader and
project-member personas into cinder's default check strings. While
cinder doesn't fully support system-scope, we can still pursue
project-personas, allowing a more consistent experience across OpenStack
services.

Change-Id: Ib7856390053d75bd845476f25891923873bf3078
changes/59/775959/2
Lance Bragstad 6 months ago
parent
commit
f8e569864f
  1. 6
      cinder/policies/base.py

6
cinder/policies/base.py

@ -68,6 +68,12 @@ SYSTEM_OR_PROJECT_MEMBER = (
SYSTEM_OR_PROJECT_READER = (
'(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')'
)
LEGACY_ADMIN_OR_PROJECT_MEMBER = (
'role:admin or (role:member and project_id:%(project_id)s)'
)
LEGACY_ADMIN_OR_PROJECT_READER = (
'role:admin or (role:reader and project_id:%(project_id)s)'
)
rules = [
policy.RuleDefault('context_is_admin', 'role:admin',

Loading…
Cancel
Save