Allow user to get themself and their domain

Current policy.json allows a user to do get_project on their current
project (taken from the token), but does not allow the same for
get_user and get_domain. This extends the behavior to get_user and
get_domain.

This is also necessary for the openstackclient changes under
https://review.openstack.org/#/c/311206/ to work for users and
domains with the default policy file.

Change-Id: Ia20e7f109c7b032be99154c84a80d882b9a77ba3
Closes-Bug: #1561599
This commit is contained in:
Matthew Edmonds 2016-06-23 13:18:46 -04:00
parent 4ac3c86eb6
commit c990ec5c14
3 changed files with 10 additions and 9 deletions

View File

@ -28,7 +28,7 @@
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
@ -41,7 +41,7 @@
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:get_user": "rule:admin_or_owner",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",

View File

@ -28,7 +28,7 @@
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
@ -45,7 +45,7 @@
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",

View File

@ -688,9 +688,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
else:
return (expected_status, expected_status, expected_status)
def _test_user_management(self, domain_id, expected=None):
def _test_user_management(self, user_id, domain_id, expected=None):
status_OK, status_created, status_no_data = self._stati(expected)
entity_url = '/users/%s' % self.just_a_user['id']
entity_url = '/users/%s' % user_id
list_url = '/users?domain_id=%s' % domain_id
self.get(entity_url, auth=self.auth,
@ -861,7 +861,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
domain_id=self.domainA['id'])
self._test_user_management(
self.domainA['id'], expected=exception.ForbiddenAction.code)
self.domain_admin_user['id'], self.domainA['id'],
expected=exception.ForbiddenAction.code)
# Now, authenticate with a user that does have the domain admin role
self.auth = self.build_authentication_request(
@ -869,7 +870,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_user_management(self.domainA['id'])
self._test_user_management(self.just_a_user['id'], self.domainA['id'])
def test_user_management_normalized_keys(self):
"""Illustrate the inconsistent handling of hyphens in keys.
@ -956,7 +957,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
password=self.cloud_admin_user['password'],
project_id=self.admin_project['id'])
self._test_user_management(self.domainA['id'])
self._test_user_management(self.just_a_user['id'], self.domainA['id'])
def test_group_management(self):
# First, authenticate with a user that does not have the domain