Fix new API policies for RBAC
During the migration to the new policies we set policy for {create,update}_rbac_policy:target_tenant was allowed for all admin users. That means that PROJECT_ADMIN was able to e.g. create RBAC policy for the object which belongs to different tenant. This patch fixes it as PROJECT_ADMIN should be only able to create or update RBAC for own objects. Related-blueprint: bp/secure-rbac-roles Change-Id: Idd8bfd7075bb537cb8f0398a1e513e74f4ac5eef
This commit is contained in:
parent
58c9912be0
commit
de69a55378
|
@ -53,7 +53,7 @@ rules = [
|
|||
name='create_rbac_policy:target_tenant',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
'rule:restrict_wildcard'),
|
||||
'(not field:rbac_policy:target_tenant=*)'),
|
||||
description='Specify ``target_tenant`` when creating an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
|
@ -89,7 +89,7 @@ rules = [
|
|||
name='update_rbac_policy:target_tenant',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
'rule:restrict_wildcard'),
|
||||
'(not field:rbac_policy:target_tenant=*)'),
|
||||
description='Update ``target_tenant`` attribute of an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue