From f2c4fd963d8d23205ca69207dbc5f8237f4be005 Mon Sep 17 00:00:00 2001 From: Jonathan Herlin Date: Thu, 1 Apr 2021 18:17:08 +0200 Subject: [PATCH] Fix default admin_or_owner policy expression By default not even an admin can use the get_summary endpoint with all_tenants=True or using a tenant_id parameter. This commit fixes that. This rule is now the same as how cinder defines admin_or_owner. Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98 (cherry picked from commit 2a985c94ee920c1d0baec5d0c02204788c130b33) --- cloudkitty/common/policies/base.py | 4 +++- doc/source/_static/cloudkitty.policy.yaml.sample | 7 ++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/cloudkitty/common/policies/base.py b/cloudkitty/common/policies/base.py index 66c0d38e..6a8f2690 100644 --- a/cloudkitty/common/policies/base.py +++ b/cloudkitty/common/policies/base.py @@ -25,7 +25,9 @@ rules = [ check_str='role:admin'), policy.RuleDefault( name='admin_or_owner', - check_str='is_admin:True or tenant:%(tenant_id)s'), + check_str='is_admin:True or ' + '(role:admin and is_admin_project:True) or ' + 'tenant:%(tenant_id)s'), policy.RuleDefault( name='default', check_str=UNPROTECTED) diff --git a/doc/source/_static/cloudkitty.policy.yaml.sample b/doc/source/_static/cloudkitty.policy.yaml.sample index 7c99eb74..aba3443b 100644 --- a/doc/source/_static/cloudkitty.policy.yaml.sample +++ b/doc/source/_static/cloudkitty.policy.yaml.sample @@ -1,10 +1,7 @@ -# #"context_is_admin": "role:admin" -# -#"admin_or_owner": "is_admin:True or tenant:%(tenant_id)s" +#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or tenant:%(tenant_id)s" -# #"default": "" # Return the list of every services mapped to a collector. @@ -48,7 +45,7 @@ # GET /v1/info/config #"info:get_config": "" -# Reture the list of loaded modules in Cloudkitty. +# Return the list of loaded modules in Cloudkitty. # LIST /v1/rating/modules #"rating:list_modules": "role:admin"