185f28a3b4
This change updates the default policies implemented in Heat, to follow the updated guideline[1] to implement SRBAC. The main change is that system users are no longer allowed to perform any operations about project-level resources like stacks, while project admin(*1) is still allowed to perform operations about project-level resources BEYOND project (like getting stacks for all projects by list stacks API). [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change This also adds the test cases to validate reader role which was almost implemented in heat. (*1) If Keystone has an admin project defined, Heat checks an additional requirement that request context is scoped by that admin project. Change-Id: I943b3c1ce021cc05445b73fbc342b8386cf5bf6a
7 lines
229 B
YAML
7 lines
229 B
YAML
---
|
|
features:
|
|
- |
|
|
Heat policies have been modified to isolate the system and project level
|
|
APIs policy. Because of this change, system users will not be allowed to
|
|
perform any operations on project level resources.
|