Simplify rule in sample v3 policy file

Remove redundant rule:cloud_admin from list_role_assignment rule in sample v3 policy file. Closes-Bug: #1485104 Change-Id: I0b65585c675c5b249d92cdce412efa7f3ac3c41b
2015-08-13 23:49:40 -07:00 · 2015-08-13 23:49:40 -07:00 · 85b8158395
parent 0ca655f9c2
commit 85b8158395
1 changed files with 3 additions and 3 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -89,9 +89,9 @@
    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

-    "admin_on_domain_filter" : "rule:cloud_admin or (rule:admin_required and domain_id:%(scope.domain.id)s)",
-    "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and project_id:%(scope.project.id)s)",
-    "identity:list_role_assignments": "rule:admin_on_domain_filter or rule:admin_on_project_filter",
+    "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
+    "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
+    "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",

    "identity:get_policy": "rule:cloud_admin",
    "identity:list_policies": "rule:cloud_admin",