Allow domain users to manage credentials

Credentials are associated with users so there is no reason we prevent domain users from accessing the resources. In some services like heat domain admin is used to generate keystone credentials and loosing the scope check is required to continue supporting such use case. Closes-Bug: #2062045 Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f
2024-04-18 03:12:19 +09:00 · 2024-04-18 03:12:19 +09:00 · 5ead95ffcc
parent 522627de3c
commit 5ead95ffcc
1 changed files with 5 additions and 5 deletions
--- a/keystone/common/policies/credential.py
+++ b/keystone/common/policies/credential.py
@ -55,7 +55,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_credential',
        check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Show credentials details.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'GET'}],
@ -64,7 +64,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_credentials',
        check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='List credentials.',
        operations=[{'path': '/v3/credentials',
                     'method': 'GET'}],
@ -73,7 +73,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Create credential.',
        operations=[{'path': '/v3/credentials',
                     'method': 'POST'}],
@ -82,7 +82,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Update credential.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'PATCH'}],
@ -91,7 +91,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Delete credential.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'DELETE'}],