Browse Source

Use is_admin_project from context

Now that oslo.context has been bumped to >=2.6.0,
we can use `is_admin_project` from the context which
is backward compatible.

This also adds a new rule `project_admin` to make
resource types accessible inline with current policy
of other services like nova, that are yet to use the
`is_admin_project` feature. Once those services start
using the is_admin_project feature, we can remove this.

Change-Id: I5be8176042f8839e86f77984222e7fac66dfaed6
Related-Bug: #1466694
changes/08/333308/6
Rabi Mishra 5 years ago
parent
commit
168a7797e5
  1. 17
      etc/heat/policy.json

17
etc/heat/policy.json

@ -1,5 +1,6 @@
{
"context_is_admin": "role:admin and auth_token_info.token.is_admin_project:True",
"context_is_admin": "role:admin and is_admin_project:True",
"project_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
@ -83,11 +84,11 @@
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
"resource_types:OS::Nova::Flavor": "rule:project_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
"resource_types:OS::Cinder::VolumeType": "rule:project_admin",
"resource_types:OS::Manila::ShareType": "rule:project_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
}
Loading…
Cancel
Save