Allow domain admin to view roles

Domain admins are allowed to assign roles. So it should be allowed to view roles. Note that protection job is made non-voting until the domain admin role test cases are updated. Closes-Bug: #2059780 Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763 (cherry picked from commit 522627de3c)
2024-03-29 23:32:48 +09:00 · 2024-03-29 23:32:48 +09:00 · d42607e113
parent 286e44cd19
commit d42607e113
2 changed files with 11 additions and 11 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -20,16 +20,16 @@
      - openstack/keystone-tempest-plugin
    vars:
      tox_envlist: all
-      tempest_test_regex: 'keystone_tempest_plugin'
+      tempest_test_regex: "keystone_tempest_plugin"
      devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"

 - job:
    name: keystone-dsvm-py3-functional
    parent: keystone-dsvm-functional
    vars:
      devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
        USE_PYTHON3: True

 - job:
@ -40,7 +40,7 @@
      Functional testing for a FIPS enabled Centos 9 system
    pre-run: playbooks/enable-fips.yaml
    vars:
-      nslookup_target: 'opendev.org'
+      nslookup_target: "opendev.org"

 - job:
    name: keystone-dsvm-py3-functional-federation-ubuntu-jammy
@ -48,7 +48,7 @@
    nodeset: openstack-single-node-jammy
    vars:
      devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
        USE_PYTHON3: True
      devstack_services:
        keystone-saml2-federation: true
@ -82,8 +82,8 @@
    parent: devstack-tempest
    vars:
      devstack_localrc:
-        KEYSTONE_CLEAR_LDAP: 'yes'
-        LDAP_PASSWORD: 'nomoresecret'
+        KEYSTONE_CLEAR_LDAP: "yes"
+        LDAP_PASSWORD: "nomoresecret"
        USE_PYTHON3: True
      devstack_services:
        ldap: true
@ -135,9 +135,9 @@
    parent: keystone-dsvm-functional
    vars:
      devstack_localrc:
-        TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
+        TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
        USE_PYTHON3: True
-        OS_CACERT: '/opt/stack/data/ca_bundle.pem'
+        OS_CACERT: "/opt/stack/data/ca_bundle.pem"
      devstack_services:
        tls-proxy: true
        keystone-oidc-federation: true
--- a/keystone/common/policies/role.py
+++ b/keystone/common/policies/role.py
@ -85,7 +85,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_role',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Show role details.',
        operations=[{'path': '/v3/roles/{role_id}',
                     'method': 'GET'},
@ -95,7 +95,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='List roles.',
        operations=[{'path': '/v3/roles',
                     'method': 'GET'},