c7a5c6cf27
API policy protection is currently limited to using the parameters passed into the call. However, there are many cases where you want to also check attributes of the entities an API is operating upon. The classic example is ensuring a domain administrator cannot get, update or delete users, groups or projects outside of their domain. This patch enables lines in the policy file to also refer to any field in the target object of the API call. In addition, it includes a separate sample policy file that shows how to use domains and the new protection ability to provide domain segregation and administration delegation. This sample file is also tested to ensure that such protection works correctly. DocImpact Implements bp policy-on-api-target Change-Id: Ie1a4e14a86d27e8b60e6c17e33dd6b9fa889660c |
||
|---|---|---|
| .. | ||
| source | ||
| keystone_compat_flows.sdx | ||
| Makefile | ||