From 5ead95ffcc597517feed53170e2d2f77cdd311a1 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Thu, 18 Apr 2024 03:12:19 +0900
Subject: [PATCH] Allow domain users to manage credentials

Credentials are associated with users so there is no reason we prevent
domain users from accessing the resources. In some services like heat
domain admin is used to generate keystone credentials and loosing
the scope check is required to continue supporting such use case.

Closes-Bug: #2062045
Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f
---
 keystone/common/policies/credential.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/keystone/common/policies/credential.py b/keystone/common/policies/credential.py
index 41d49f6577..84a62d7ea3 100644
--- a/keystone/common/policies/credential.py
+++ b/keystone/common/policies/credential.py
@@ -55,7 +55,7 @@ credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_credential',
         check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='Show credentials details.',
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'GET'}],
@@ -64,7 +64,7 @@ credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_credentials',
         check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='List credentials.',
         operations=[{'path': '/v3/credentials',
                      'method': 'GET'}],
@@ -73,7 +73,7 @@ credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_credential',
         check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='Create credential.',
         operations=[{'path': '/v3/credentials',
                      'method': 'POST'}],
@@ -82,7 +82,7 @@ credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_credential',
         check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='Update credential.',
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'PATCH'}],
@@ -91,7 +91,7 @@ credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_credential',
         check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
         description='Delete credential.',
         operations=[{'path': '/v3/credentials/{credential_id}',
                      'method': 'DELETE'}],