09e699baba
Without this change, policy enforcement for the GET /OS-TRUST/trusts/{trust_id}/roles/{role_id} API is hardcoded in the flask dispatcher code. This is a problem because this enforcement can't be controlled by the operator, as is the norm. Moreover, it makes the transition to system-scope and default-roles-aware policies more difficult because there's no sensible migration from "" to a logical role-based check string. This converts the hardcoded enforcement to enforcement via default policies for GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}. The API specifically blocks the is_admin user from using it, and since policies aren't loaded for the is_admin user we need to continue explicitly blocking it. This change does not use the formal oslo.policy deprecation system because "" OR'd with the new default is entirely useless as a policy. Change-Id: Ib5a6a87313aa7b2a73211f512b8a8c675a21b52f Partial-bug: #1818850 Partial-bug: #1818846 |
||
---|---|---|
.. | ||
doctor | ||
__init__.py | ||
bootstrap.py | ||
cli.py | ||
manage.py | ||
status.py |