Adding tenant_id to policy default

The policy engine already automatically sets the target project_id some policy files use tenant_id instead. See recent neutron policy file. Also adding tenant_id to the credential list that is populated. Why this matters is that batch actions don't have data associated with them when the policy checks are made so policy files that use tenant_id instead of project_id will fail. Closes-Bug: #1598242 Change-Id: I1b7c5c545852e76cbd46ece003ee9bbb0c19fdec
2016-07-01 10:16:33 -06:00
parent 0afe75fabc
commit ac1ff6068b
1 changed files with 3 additions and 0 deletions
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@@ -121,6 +121,8 @@ def check(actions, request, target=None):
    # the service APIs will correct us if we are too permissive.
    if target.get('project_id') is None:
        target['project_id'] = user.project_id
+    if target.get('tenant_id') is None:
+        target['tenant_id'] = target['project_id']
    # same for user_id
    if target.get('user_id') is None:
        target['user_id'] = user.id
@@ -187,6 +189,7 @@ def _user_to_credentials(user):
                             'token': user.token,
                             'username': user.username,
                             'project_id': user.project_id,
+                             'tenant_id': user.project_id,
                             'project_name': user.project_name,
                             'domain_id': user.user_domain_id,
                             'is_admin': user.is_superuser,