Use double quotes for string comparisons policies in glance

TripleO lays down policy check strings wrapped in single quotes, which will break if we don't escape them. This commit updates the policies to use double quotes so it's not an issue. Otherwise, if you deploy this file in an environment glance will throw 500s with the following error: expected <block end>, but found '<scalar>' in "<unicode string>", line 22, column 110: ... or project_id:%(member_id)s or 'community':%(visibility)s or 'pu ... Change-Id: I9315a1039246f3db10c3902583eb6ca51cffdba4
2021-10-12 19:45:03 +00:00 · 2021-10-12 19:45:03 +00:00 · 1cbd03a139
parent 36d706d80d
commit 1cbd03a139
1 changed files with 11 additions and 11 deletions
--- a/environments/enable-secure-rbac.yaml
+++ b/environments/enable-secure-rbac.yaml
@ -1514,7 +1514,7 @@ parameter_defaults:
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-get_image:
      key: "get_image"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
    glance-get_images:
      key: "get_images"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
@ -1529,7 +1529,7 @@ parameter_defaults:
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-download_image:
      key: "download_image"
-      value: "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
+      value: 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
    glance-upload_image:
      key: "upload_image"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
@ -1592,7 +1592,7 @@ parameter_defaults:
      value: "role:admin"
    glance-get_metadef_namespace:
      key: "get_metadef_namespace"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_namespaces:
      key: "get_metadef_namespaces"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
@ -1607,10 +1607,10 @@ parameter_defaults:
      value: "rule:metadef_admin"
    glance-get_metadef_object:
      key: "get_metadef_object"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_objects:
      key: "get_metadef_objects"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_object:
      key: "modify_metadef_object"
      value: "rule:metadef_admin"
@ -1622,10 +1622,10 @@ parameter_defaults:
      value: "rule:metadef_admin"
    glance-list_metadef_resource_types:
      key: "list_metadef_resource_types"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_resource_type:
      key: "get_metadef_resource_type"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-add_metadef_resource_type_association:
      key: "add_metadef_resource_type_association"
      value: "rule:metadef_admin"
@ -1634,10 +1634,10 @@ parameter_defaults:
      value: "rule:metadef_admin"
    glance-get_metadef_property:
      key: "get_metadef_property"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_properties:
      key: "get_metadef_properties"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_property:
      key: "modify_metadef_property"
      value: "rule:metadef_admin"
@ -1649,10 +1649,10 @@ parameter_defaults:
      value: "rule:metadef_admin"
    glance-get_metadef_tag:
      key: "get_metadef_tag"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_tags:
      key: "get_metadef_tags"
-      value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_tag:
      key: "modify_metadef_tag"
      value: "rule:metadef_admin"