Fix API policy rules for new personas
During migration to the new personas in the API policies, we made few
mistakes and allowed creation of some resources just for PROJECT_MEMBER
role. It should also be possible for the SYSTEM_ADMIN persona and that
patch fixes it by adding SYSTEM_ADMIN persona to the default rules where
it was missing.
Related-blueprint: bp/secure-rbac-roles
Change-Id: I9f8a9f0ae24683458aa3b5f8e49c6f111ccf815a
(cherry picked from commit cabf19a984
)
This commit is contained in:
parent
80e1d8269b
commit
15fee2f573
|
@ -34,7 +34,7 @@ rules = [
|
||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_rbac_policy',
|
name='create_rbac_policy',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
description='Create an RBAC policy',
|
description='Create an RBAC policy',
|
||||||
operations=[
|
operations=[
|
||||||
|
|
|
@ -39,7 +39,7 @@ ACTION_GET = [
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_router',
|
name='create_router',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a router',
|
description='Create a router',
|
||||||
operations=ACTION_POST,
|
operations=ACTION_POST,
|
||||||
|
|
|
@ -33,7 +33,7 @@ rules = [
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_subnetpool',
|
name='create_subnetpool',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Create a subnetpool',
|
description='Create a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
|
|
|
@ -26,7 +26,7 @@ DEPRECATED_REASON = (
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_trunk',
|
name='create_trunk',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Create a trunk',
|
description='Create a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
|
|
Loading…
Reference in New Issue