diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index 7aacace138..0a9b187f3d 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -59,6 +59,13 @@ grant_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'check_grant', check_str=base.RULE_ADMIN_REQUIRED, + # FIXME(lbragstad): A system administrator should be able to grant role + # assignments from any actor to any target in the deployment. Domain + # administrators should only be able to grant access to the domain they + # administer or projects within that domain. Once keystone is smart + # enough to enforce those checks in code, we can add 'project' to the + # list of scope_types below. + scope_types=['system'], description=('Check a role grant between a target and an actor. A ' 'target can be either a domain or a project. An actor ' 'can be either a user or a group. These terms also apply ' @@ -69,6 +76,9 @@ grant_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_grants', check_str=base.RULE_ADMIN_REQUIRED, + # FIXME(lbragstad): See the above comment about scope_types before + # adding 'project' to scope_types below. + scope_types=['system'], description=('List roles granted to an actor on a target. A target ' 'can be either a domain or a project. An actor can be ' 'either a user or a group. For the OS-INHERIT APIs, it ' @@ -79,6 +89,9 @@ grant_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_grant', check_str=base.RULE_ADMIN_REQUIRED, + # FIXME(lbragstad): See the above comment about scope_types before + # adding 'project' to scope_types below. + scope_types=['system'], description=('Create a role grant between a target and an actor. A ' 'target can be either a domain or a project. An actor ' 'can be either a user or a group. These terms also apply ' @@ -89,6 +102,9 @@ grant_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'revoke_grant', check_str=base.RULE_ADMIN_REQUIRED, + # FIXME(lbragstad): See the above comment about scope_types before + # adding 'project' to scope_types below. + scope_types=['system'], description=('Revoke a role grant between a target and an actor. A ' 'target can be either a domain or a project. An actor ' 'can be either a user or a group. These terms also apply '