Allow domain users to manage credentials
Credentials are associated with users so there is no reason we prevent
domain users from accessing the resources. In some services like heat
domain admin is used to generate keystone credentials and loosing
the scope check is required to continue supporting such use case.
Closes-Bug: #2062045
Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f
(cherry picked from commit 5ead95ffcc
)
This commit is contained in:
parent
286e44cd19
commit
a13bec662e
@ -55,7 +55,7 @@ credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_credential',
|
||||
check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='Show credentials details.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
'method': 'GET'}],
|
||||
@ -64,7 +64,7 @@ credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_credentials',
|
||||
check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='List credentials.',
|
||||
operations=[{'path': '/v3/credentials',
|
||||
'method': 'GET'}],
|
||||
@ -73,7 +73,7 @@ credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_credential',
|
||||
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='Create credential.',
|
||||
operations=[{'path': '/v3/credentials',
|
||||
'method': 'POST'}],
|
||||
@ -82,7 +82,7 @@ credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_credential',
|
||||
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='Update credential.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
'method': 'PATCH'}],
|
||||
@ -91,7 +91,7 @@ credential_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_credential',
|
||||
check_str=base.ADMIN_OR_CRED_OWNER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='Delete credential.',
|
||||
operations=[{'path': '/v3/credentials/{credential_id}',
|
||||
'method': 'DELETE'}],
|
||||
|
Loading…
Reference in New Issue
Block a user