From f8e569864f46764fe4befbeb297254082c09bdea Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 17 Feb 2021 02:29:29 +0000 Subject: [PATCH] Simplify composite check strings for project personas This commit adds two check strings to cinder's base policies that simplify project personas. The is_admin_project check isn't used in the admin_or_owner rule. The is_admin property of the context object actually evaluates to context_is_admin, which just checks if 'admin' is in context.roles. This check string simplies the indirection. Future patches will likely change many of the admin_or_owner checks to support system-scope, which will require modifications to the existing deprecated defaults. The other thing this change does is include project-reader and project-member personas into cinder's default check strings. While cinder doesn't fully support system-scope, we can still pursue project-personas, allowing a more consistent experience across OpenStack services. Change-Id: Ib7856390053d75bd845476f25891923873bf3078 --- cinder/policies/base.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cinder/policies/base.py b/cinder/policies/base.py index 119dbf5bc7d..d99179a56f4 100644 --- a/cinder/policies/base.py +++ b/cinder/policies/base.py @@ -68,6 +68,12 @@ SYSTEM_OR_PROJECT_MEMBER = ( SYSTEM_OR_PROJECT_READER = ( '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')' ) +LEGACY_ADMIN_OR_PROJECT_MEMBER = ( + 'role:admin or (role:member and project_id:%(project_id)s)' +) +LEGACY_ADMIN_OR_PROJECT_READER = ( + 'role:admin or (role:reader and project_id:%(project_id)s)' +) rules = [ policy.RuleDefault('context_is_admin', 'role:admin',