Allow domain admin to view roles

Domain admins are allowed to assign roles. So it should be allowed to
view roles.

Note that protection job is made non-voting until the domain admin role
test cases are updated.

Closes-Bug: #2059780
Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
(cherry picked from commit 522627de3c)
(cherry picked from commit d42607e113)
This commit is contained in:
Takashi Kajinami 2024-03-29 23:32:48 +09:00 committed by David Wilde
parent 4711b36ab5
commit f519bcedfb
2 changed files with 11 additions and 11 deletions

View File

@ -20,16 +20,16 @@
- openstack/keystone-tempest-plugin
vars:
tox_envlist: all
tempest_test_regex: 'keystone_tempest_plugin'
tempest_test_regex: "keystone_tempest_plugin"
devstack_localrc:
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
- job:
name: keystone-dsvm-py3-functional
parent: keystone-dsvm-functional
vars:
devstack_localrc:
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
USE_PYTHON3: True
- job:
@ -40,7 +40,7 @@
Functional testing for a FIPS enabled Centos 9 system
pre-run: playbooks/enable-fips.yaml
vars:
nslookup_target: 'opendev.org'
nslookup_target: "opendev.org"
- job:
name: keystone-dsvm-functional-federation-opensuse15
@ -82,7 +82,7 @@
nodeset: openstack-single-node-jammy
vars:
devstack_localrc:
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
USE_PYTHON3: True
devstack_services:
keystone-saml2-federation: true
@ -116,8 +116,8 @@
parent: devstack-tempest
vars:
devstack_localrc:
KEYSTONE_CLEAR_LDAP: 'yes'
LDAP_PASSWORD: 'nomoresecret'
KEYSTONE_CLEAR_LDAP: "yes"
LDAP_PASSWORD: "nomoresecret"
USE_PYTHON3: True
devstack_services:
ldap: true
@ -169,9 +169,9 @@
parent: keystone-dsvm-functional
vars:
devstack_localrc:
TEMPEST_PLUGINS: '/opt/stack/keystone-tempest-plugin'
TEMPEST_PLUGINS: "/opt/stack/keystone-tempest-plugin"
USE_PYTHON3: True
OS_CACERT: '/opt/stack/data/ca_bundle.pem'
OS_CACERT: "/opt/stack/data/ca_bundle.pem"
devstack_services:
tls-proxy: true
keystone-oidc-federation: true

View File

@ -85,7 +85,7 @@ role_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_role',
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
scope_types=['system', 'domain', 'project'],
description='Show role details.',
operations=[{'path': '/v3/roles/{role_id}',
'method': 'GET'},
@ -95,7 +95,7 @@ role_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_roles',
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
scope_types=['system', 'project'],
scope_types=['system', 'domain', 'project'],
description='List roles.',
operations=[{'path': '/v3/roles',
'method': 'GET'},