This change adds tests cases for the default roles
keystone supports at install time. It also modifies
the policies for the role_assignments API to be more
self-service by properly checking for scopes if accessed
with a domain-scoped tokens. This gives domain users the
power to query role assignments within the domain they
have authorization on without exposing other assignment
information in the deployment, domains, or projects.
Subsequent patches will:
- add functionality for domain members
- add functionality for domain admins
- add functionality for project readers
- add functionality for project members
- add functionality for project admins
- remove the obsolete policies from policy.v3cloudsample.json
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Partial-Bug: 1750673
Change-Id: I0c6d202a315d4683e2589f0d9121e93c97fb13e4
(cherry picked from commit 425d48ec0a)