Add missing "system" scope in some of the new API policies
During the migration to the new RBAC policies we made mistakes and we allowed some of the APIs to be available for SYSTEM users but we allowed it only for "project" scope. As we discussed during the PTG, policy in such case should allows to use such API also for the "system" scope tokens. This patch adds it where it was still missing. Partially-Implements blueprint: secure-rbac-roles Change-Id: Icfbd00040834b311e78138cc93e7ab86355e557c
This commit is contained in:
Slawek Kaplonski
parent
ca2091d5a9
commit
47038c27c5
|
|
@ -33,7 +33,7 @@ rules = [
|
||||||
'path': COLLECTION_PATH,
|
'path': COLLECTION_PATH,
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name='create_floatingip',
|
name='create_floatingip',
|
||||||
check_str=base.RULE_ANY,
|
check_str=base.RULE_ANY,
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_network',
|
name='create_network',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description='Create a network',
|
description='Create a network',
|
||||||
operations=ACTION_POST,
|
operations=ACTION_POST,
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
|
|
@ -94,7 +94,7 @@ rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_network:port_security_enabled',
|
name='create_network:port_security_enabled',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description=(
|
description=(
|
||||||
'Specify ``port_security_enabled`` '
|
'Specify ``port_security_enabled`` '
|
||||||
'attribute when creating a network'
|
'attribute when creating a network'
|
||||||
|
|
@ -187,7 +187,7 @@ rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_network:router:external',
|
name='get_network:router:external',
|
||||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description='Get ``router:external`` attribute of a network',
|
description='Get ``router:external`` attribute of a network',
|
||||||
operations=ACTION_GET,
|
operations=ACTION_GET,
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
|
|
|
||||||
|
|
@ -212,7 +212,7 @@ rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_port:binding:vnic_type',
|
name='create_port:binding:vnic_type',
|
||||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description=(
|
description=(
|
||||||
'Specify ``binding:vnic_type`` '
|
'Specify ``binding:vnic_type`` '
|
||||||
'attribute when creating a port'
|
'attribute when creating a port'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue