Make the 'admin' role configurable

Bug 1158434 This patch adds a new policy named 'context_is_admin' which defines an admin user as a collection of roles or else. The quantum context has been updated to check for this policy when setting the is_admin flag. This patch also adds a method for gathering 'admin' roles from policy rules as current logic requires the context to be always populate with the correct roles for admin rules, even when the context is implicitly generated with get_admin_context or context.elevated. Backward compatibility is ensuring by preserving the old behavior if the 'context_is_admin' policy is not found in policy.json Change-Id: I9acea75cca0c47e083a9149e358328ea3ca12d68
2013-04-22 09:44:14 +02:00 · 2013-04-22 09:44:14 +02:00 · f370823614
parent baae326d98
commit f370823614
1 changed files with 4 additions and 3 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,7 +1,8 @@
 {
-    "admin_or_owner": "role:admin or tenant_id:%(tenant_id)s",
-    "admin_or_network_owner": "role:admin or tenant_id:%(network_tenant_id)s",
-    "admin_only": "role:admin",
+    "context_is_admin":  "role:admin",
+    "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network_tenant_id)s",
+    "admin_only": "rule:context_is_admin",
    "regular_user": "",
    "shared": "field:networks:shared=True",
    "external": "field:networks:router:external=True",