Merge "Add scope_types to domain config policies"

2018-01-27 00:35:55 +00:00 · 2018-01-27 00:35:55 +00:00 · 249316ddfb
commit 249316ddfb
parent 1a0cc370ad a2b9301748
1 changed files with 16 additions and 0 deletions
--- a/keystone/common/policies/domain_config.py
+++ b/keystone/common/policies/domain_config.py
@ -19,6 +19,15 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_domain_config',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): The domain configuration API has traditionally
+        # required system or cloud administrators. If, or when, keystone
+        # implements the ability for project administrator to use these APIs,
+        # then 'project' should be added to scope_types. Adding support for
+        # project or domain administrator to manage their own domain
+        # configuration would be useful and alleviate work for system
+        # administrators, but until we have checks in code that enforce those
+        # checks, let's keep this as a system-level operation.
+        scope_types=['system'],
        description='Create domain configuration.',
        operations=[
            {
@ -30,6 +39,7 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_domain_config',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('Get the entire domain configuration for a domain, an '
                     'option group within a domain, or a specific '
                     'configuration option within a group for a domain.'),
@ -63,6 +73,9 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_security_compliance_domain_config',
        check_str='',
+        # This should be accessible to anyone with a valid token, regardless of
+        # system-scope or project-scope.
+        scope_types=['system', 'project'],
        description=('Get security compliance domain configuration for '
                     'either a domain or a specific option in a domain.'),
        operations=[
@ -89,6 +102,7 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_domain_config',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('Update domain configuration for either a domain, '
                     'specific group or a specific option in a group.'),
        operations=[
@ -109,6 +123,7 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_domain_config',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('Delete domain configuration for either a domain, '
                     'specific group or a specific option in a group.'),
        operations=[
@ -129,6 +144,7 @@ domain_config_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_domain_config_default',
        check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
        description=('Get domain configuration default for either a domain, '
                     'specific group or a specific option in a group.'),
        operations=[