Browse Source

Fix default admin_or_owner policy expression

By default not even an admin can use the get_summary endpoint with
all_tenants=True or using a tenant_id parameter. This commit fixes that.

This rule is now the same as how cinder defines admin_or_owner.

Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98
changes/44/784444/3
Jonathan Herlin 4 months ago
committed by Pierre Riteau
parent
commit
2a985c94ee
  1. 4
      cloudkitty/common/policies/base.py
  2. 4
      doc/source/_static/cloudkitty.policy.yaml.sample

4
cloudkitty/common/policies/base.py

@ -25,7 +25,9 @@ rules = [
check_str='role:admin'),
policy.RuleDefault(
name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'),
check_str='is_admin:True or '
'(role:admin and is_admin_project:True) or '
'project_id:%(project_id)s'),
policy.RuleDefault(
name='default',
check_str=UNPROTECTED)

4
doc/source/_static/cloudkitty.policy.yaml.sample

@ -1,6 +1,6 @@
#"context_is_admin": "role:admin"
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
#"default": ""
@ -45,7 +45,7 @@
# GET /v1/info/config
#"info:get_config": ""
# Reture the list of loaded modules in Cloudkitty.
# Return the list of loaded modules in Cloudkitty.
# LIST /v1/rating/modules
#"rating:list_modules": "role:admin"

Loading…
Cancel
Save