924339ab11
By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).
This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
used everywhere.
Closes-Bug: #1997089
Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| agent | ||
| policies | ||
| __init__.py | ||