Change get_project permission

Previously to issue GET /project a user needed
at least project_admin level of permission. With
this change, a user can issue GET /project by just
having a role on the project.

Change-Id: I9d23edc22eb88d0b21ab8968dfbe63661220a6fd
Closes-Bug: 1535878
This commit is contained in:
Ajaya Agrawal 2016-01-20 08:41:33 +00:00 committed by Samuel de Medeiros Queiroz
parent 1053b63e8c
commit 38e115d385
4 changed files with 20 additions and 7 deletions

View File

@ -34,7 +34,7 @@
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required",
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",

View File

@ -37,8 +37,7 @@
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",

View File

@ -1384,17 +1384,23 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.delete('/auth/tokens', token=admin_token,
headers={'X-Subject-Token': user_token})
def test_project_admin_get_project(self):
def test_user_with_a_role_get_project(self):
user_auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'],
project_id=self.project['id'])
self.get('/projects/%s' % self.project['id'], auth=user_auth,
# Test user can get project for one they have a role in
self.get('/projects/%s' % self.project['id'], auth=user_auth)
# Test user can not get project for one they don't have a role in,
# even if they have a role on another project
project2 = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(project2['id'], project2)
self.get('/projects/%s' % project2['id'], auth=user_auth,
expected_status=exception.ForbiddenAction.code)
# Now, authenticate with a user that does have the project
# admin role
def test_project_admin_get_project(self):
admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],

View File

@ -0,0 +1,8 @@
---
fixes:
- >
[`bug 1535878 <https://bugs.launchpad.net/keystone/+bug/1535878>`_]
Originally, to perform GET /projects/{project_id}, the provided policy
files required a user to have at least project admin level of permission.
They have been updated to allow it to be performed by any user who has a
role on the project.