diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py index 41d49f6577..84a62d7ea3 100644 --- a/keystone/common/policies/credential.py +++ b/keystone/common/policies/credential.py @@ -55,7 +55,7 @@ credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_credential', check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER, - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Show credentials details.', operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'GET'}], @@ -64,7 +64,7 @@ credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_credentials', check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER, - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='List credentials.', operations=[{'path': '/v3/credentials', 'method': 'GET'}], @@ -73,7 +73,7 @@ credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_credential', check_str=base.ADMIN_OR_CRED_OWNER, - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Create credential.', operations=[{'path': '/v3/credentials', 'method': 'POST'}], @@ -82,7 +82,7 @@ credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_credential', check_str=base.ADMIN_OR_CRED_OWNER, - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Update credential.', operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'PATCH'}], @@ -91,7 +91,7 @@ credential_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_credential', check_str=base.ADMIN_OR_CRED_OWNER, - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Delete credential.', operations=[{'path': '/v3/credentials/{credential_id}', 'method': 'DELETE'}],