From d42607e113d7ec7ee7498cc1a387bd448206d80a Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 29 Mar 2024 23:32:48 +0900
Subject: [PATCH] Allow domain admin to view roles

Domain admins are allowed to assign roles. So it should be allowed to
view roles.

Note that protection job is made non-voting until the domain admin role
test cases are updated.

Closes-Bug: #2059780
Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
(cherry picked from commit 522627de3c66113d03019122735cdfc3e0d245c8)
---
 .zuul.yaml                       | 18 +++++++++---------
 keystone/common/policies/role.py |  4 ++--
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index b02bb766db..5cbc36a1cd 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -20,16 +20,16 @@
       - openstack/keystone-tempest-plugin
     vars:
       tox_envlist: all
-      tempest_test_regex: 'keystone_tempest_plugin'
+      tempest_test_regex: "keystone_tempest_plugin"
       devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
 
 - job:
     name: keystone-dsvm-py3-functional
     parent: keystone-dsvm-functional
     vars:
       devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
         USE_PYTHON3: True
 
 - job:
@@ -40,7 +40,7 @@
       Functional testing for a FIPS enabled Centos 9 system
     pre-run: playbooks/enable-fips.yaml
     vars:
-      nslookup_target: 'opendev.org'
+      nslookup_target: "opendev.org"
 
 - job:
     name: keystone-dsvm-py3-functional-federation-ubuntu-jammy
@@ -48,7 +48,7 @@
     nodeset: openstack-single-node-jammy
     vars:
       devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
         USE_PYTHON3: True
       devstack_services:
         keystone-saml2-federation: true
@@ -82,8 +82,8 @@
     parent: devstack-tempest
     vars:
       devstack_localrc:
-        KEYSTONE_CLEAR_LDAP: 'yes'
-        LDAP_PASSWORD: 'nomoresecret'
+        KEYSTONE_CLEAR_LDAP: "yes"
+        LDAP_PASSWORD: "nomoresecret"
         USE_PYTHON3: True
       devstack_services:
         ldap: true
@@ -135,9 +135,9 @@
     parent: keystone-dsvm-functional
     vars:
       devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
         USE_PYTHON3: True
-        OS_CACERT: '/opt/stack/data/ca_bundle.pem'
+        OS_CACERT: "/opt/stack/data/ca_bundle.pem"
       devstack_services:
         tls-proxy: true
         keystone-oidc-federation: true
diff --git a/keystone/common/policies/role.py b/keystone/common/policies/role.py
index 0dbd793e93..a5ebd2647f 100644
--- a/keystone/common/policies/role.py
+++ b/keystone/common/policies/role.py
@@ -85,7 +85,7 @@ role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_role',
         check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='Show role details.',
         operations=[{'path': '/v3/roles/{role_id}',
                      'method': 'GET'},
@@ -95,7 +95,7 @@ role_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_roles',
         check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='List roles.',
         operations=[{'path': '/v3/roles',
                      'method': 'GET'},