Merge "Add scope_types to domain config policies"

keystone/common/policies/domain_config.py

@@ -19,6 +19,15 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_domain_config',
         check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): The domain configuration API has traditionally
+        # required system or cloud administrators. If, or when, keystone
+        # implements the ability for project administrator to use these APIs,
+        # then 'project' should be added to scope_types. Adding support for
+        # project or domain administrator to manage their own domain
+        # configuration would be useful and alleviate work for system
+        # administrators, but until we have checks in code that enforce those
+        # checks, let's keep this as a system-level operation.
+        scope_types=['system'],
         description='Create domain configuration.',
         operations=[
             {
@@ -30,6 +39,7 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_domain_config',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description=('Get the entire domain configuration for a domain, an '
                      'option group within a domain, or a specific '
                      'configuration option within a group for a domain.'),
@@ -63,6 +73,9 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_security_compliance_domain_config',
         check_str='',
+        # This should be accessible to anyone with a valid token, regardless of
+        # system-scope or project-scope.
+        scope_types=['system', 'project'],
         description=('Get security compliance domain configuration for '
                      'either a domain or a specific option in a domain.'),
         operations=[
@@ -89,6 +102,7 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_domain_config',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description=('Update domain configuration for either a domain, '
                      'specific group or a specific option in a group.'),
         operations=[
@@ -109,6 +123,7 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_domain_config',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description=('Delete domain configuration for either a domain, '
                      'specific group or a specific option in a group.'),
         operations=[
@@ -129,6 +144,7 @@ domain_config_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_domain_config_default',
         check_str=base.RULE_ADMIN_REQUIRED,
+        scope_types=['system'],
         description=('Get domain configuration default for either a domain, '
                      'specific group or a specific option in a group.'),
         operations=[