Allow domain admin to view roles
Domain admins are allowed to assign roles. So it should be allowed to view roles. Note that protection job is made non-voting until the domain admin role test cases are updated. Closes-Bug: #2059780 Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763 (cherry picked from commit522627de3c
) (cherry picked from commitd42607e113
) (cherry picked from commitf519bcedfb
)
This commit is contained in:
parent
46f66b8ac4
commit
b6c20d912b
18
.zuul.yaml
18
.zuul.yaml
@ -20,16 +20,16 @@
|
|||||||
- openstack/keystone-tempest-plugin
|
- openstack/keystone-tempest-plugin
|
||||||
vars:
|
vars:
|
||||||
tox_envlist: all
|
tox_envlist: all
|
||||||
tempest_test_regex: 'keystone_tempest_plugin'
|
tempest_test_regex: "keystone_tempest_plugin"
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
|
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: keystone-dsvm-py3-functional
|
name: keystone-dsvm-py3-functional
|
||||||
parent: keystone-dsvm-functional
|
parent: keystone-dsvm-functional
|
||||||
vars:
|
vars:
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
|
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
|
||||||
USE_PYTHON3: True
|
USE_PYTHON3: True
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
@ -40,7 +40,7 @@
|
|||||||
Functional testing for a FIPS enabled Centos 9 system
|
Functional testing for a FIPS enabled Centos 9 system
|
||||||
pre-run: playbooks/enable-fips.yaml
|
pre-run: playbooks/enable-fips.yaml
|
||||||
vars:
|
vars:
|
||||||
nslookup_target: 'opendev.org'
|
nslookup_target: "opendev.org"
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: keystone-dsvm-functional-federation-opensuse15
|
name: keystone-dsvm-functional-federation-opensuse15
|
||||||
@ -82,7 +82,7 @@
|
|||||||
nodeset: openstack-single-node-focal
|
nodeset: openstack-single-node-focal
|
||||||
vars:
|
vars:
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
|
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
|
||||||
USE_PYTHON3: True
|
USE_PYTHON3: True
|
||||||
devstack_services:
|
devstack_services:
|
||||||
keystone-saml2-federation: true
|
keystone-saml2-federation: true
|
||||||
@ -116,8 +116,8 @@
|
|||||||
parent: devstack-tempest
|
parent: devstack-tempest
|
||||||
vars:
|
vars:
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
KEYSTONE_CLEAR_LDAP: 'yes'
|
KEYSTONE_CLEAR_LDAP: "yes"
|
||||||
LDAP_PASSWORD: 'nomoresecret'
|
LDAP_PASSWORD: "nomoresecret"
|
||||||
USE_PYTHON3: True
|
USE_PYTHON3: True
|
||||||
devstack_services:
|
devstack_services:
|
||||||
ldap: true
|
ldap: true
|
||||||
@ -153,9 +153,9 @@
|
|||||||
parent: keystone-dsvm-functional
|
parent: keystone-dsvm-functional
|
||||||
vars:
|
vars:
|
||||||
devstack_localrc:
|
devstack_localrc:
|
||||||
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
|
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
|
||||||
USE_PYTHON3: True
|
USE_PYTHON3: True
|
||||||
OS_CACERT: '/opt/stack/data/ca_bundle.pem'
|
OS_CACERT: "/opt/stack/data/ca_bundle.pem"
|
||||||
devstack_services:
|
devstack_services:
|
||||||
tls-proxy: true
|
tls-proxy: true
|
||||||
keystone-oidc-federation: true
|
keystone-oidc-federation: true
|
||||||
|
@ -85,7 +85,7 @@ role_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_role',
|
name=base.IDENTITY % 'get_role',
|
||||||
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'domain', 'project'],
|
||||||
description='Show role details.',
|
description='Show role details.',
|
||||||
operations=[{'path': '/v3/roles/{role_id}',
|
operations=[{'path': '/v3/roles/{role_id}',
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
@ -95,7 +95,7 @@ role_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_roles',
|
name=base.IDENTITY % 'list_roles',
|
||||||
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'domain', 'project'],
|
||||||
description='List roles.',
|
description='List roles.',
|
||||||
operations=[{'path': '/v3/roles',
|
operations=[{'path': '/v3/roles',
|
||||||
'method': 'GET'},
|
'method': 'GET'},
|
||||||
|
Loading…
Reference in New Issue
Block a user