Fix default admin_or_owner policy expression

By default not even an admin can use the get_summary endpoint with all_tenants=True or using a tenant_id parameter. This commit fixes that. This rule is now the same as how cinder defines admin_or_owner. Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98
8 months ago · 2a985c94ee
2 changed files with 5 additions and 3 deletions
--- a/cloudkitty/common/policies/base.py
+++ b/cloudkitty/common/policies/base.py
@ -25,7 +25,9 @@ rules = [
        check_str='role:admin'),
    policy.RuleDefault(
        name='admin_or_owner',
-        check_str='is_admin:True or project_id:%(project_id)s'),
+        check_str='is_admin:True or '
+                  '(role:admin and is_admin_project:True) or '
+                  'project_id:%(project_id)s'),
    policy.RuleDefault(
        name='default',
        check_str=UNPROTECTED)
--- a/doc/source/_static/cloudkitty.policy.yaml.sample
+++ b/doc/source/_static/cloudkitty.policy.yaml.sample
@ -1,6 +1,6 @@
 #"context_is_admin": "role:admin"

-#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"

 #"default": ""

@ -45,7 +45,7 @@
 # GET  /v1/info/config
 #"info:get_config": ""

-# Reture the list of loaded modules in Cloudkitty.
+# Return the list of loaded modules in Cloudkitty.
 # LIST  /v1/rating/modules
 #"rating:list_modules": "role:admin"