Browse Source

Fix default admin_or_owner policy expression

By default not even an admin can use the get_summary endpoint with
all_tenants=True or using a tenant_id parameter. This commit fixes that.

This rule is now the same as how cinder defines admin_or_owner.

Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98
(cherry picked from commit 2a985c94ee)
changes/73/785173/2
Jonathan Herlin 2 months ago
committed by Pierre Riteau
parent
commit
f2c4fd963d
2 changed files with 5 additions and 6 deletions
  1. +3
    -1
      cloudkitty/common/policies/base.py
  2. +2
    -5
      doc/source/_static/cloudkitty.policy.yaml.sample

+ 3
- 1
cloudkitty/common/policies/base.py View File

@ -25,7 +25,9 @@ rules = [
check_str='role:admin'),
policy.RuleDefault(
name='admin_or_owner',
check_str='is_admin:True or tenant:%(tenant_id)s'),
check_str='is_admin:True or '
'(role:admin and is_admin_project:True) or '
'tenant:%(tenant_id)s'),
policy.RuleDefault(
name='default',
check_str=UNPROTECTED)


+ 2
- 5
doc/source/_static/cloudkitty.policy.yaml.sample View File

@ -1,10 +1,7 @@
#
#"context_is_admin": "role:admin"
#
#"admin_or_owner": "is_admin:True or tenant:%(tenant_id)s"
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or tenant:%(tenant_id)s"
#
#"default": ""
# Return the list of every services mapped to a collector.
@ -48,7 +45,7 @@
# GET /v1/info/config
#"info:get_config": ""
# Reture the list of loaded modules in Cloudkitty.
# Return the list of loaded modules in Cloudkitty.
# LIST /v1/rating/modules
#"rating:list_modules": "role:admin"


Loading…
Cancel
Save