Change stacks:global_index heat policy to context_is_admin

Rule "context_is_admin" is defined in heat for admin role and heat uses this rule to authorize admin operations. Since default admin context can be updated by heat, we should use the rule: context_is_admin. In newton, heat updated the admin context to admin role with admin tenant in following patch:- https://review.openstack.org/#/c/316627/ Change-Id: Iea6f3a6124e0c4d29801641aff51e385f0399488 Closes-Bug: #1499302
2016-08-06 18:49:07 +05:30 · 2016-08-06 18:49:07 +05:30 · 28d8eca8c1
commit 28d8eca8c1
parent 35bec1887c
2 changed files with 2 additions and 2 deletions
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@ -229,7 +229,7 @@ function create_api_paste_conf {
 function update_heat_policy {
    # enable stacks global_index search so that magnum can use
    # list(global_tenant=True)
-    sed -i 's/\("stacks:global_index":\).*$/\1 "role:admin",/' $HEAT_CONF_DIR/policy.json
+    sed -i 's/\("stacks:global_index":\).*$/\1 "rule:context_is_admin",/' $HEAT_CONF_DIR/policy.json
 }

 # create_magnum_cache_dir() - Part of the init_magnum() process
--- a/doc/source/userguide.rst
+++ b/doc/source/userguide.rst
@ -1675,7 +1675,7 @@ it for Magnum. If you want to enable it nonetheless, proceed as follows:
   .. code-block:: ini

      ...
-      stacks:global_index: "role:admin",
+      stacks:global_index: "rule:context_is_admin",

   Now restart heat.