Promote sysinv to registry admin

This commit gives 'registry admin' powers to the 'sysinv' user for pushing and pulling all repos. Using sysinv instead of the keystone admin will prevent lockout of the keystone admin user if the credentials change. The old 'admin' will continue to have admin powers. Partial-bug: 1882117 Change-Id: I0544525e218a7a16d560e2a96c2a878696b75837 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2020-06-17 22:37:28 -04:00 · 2020-06-17 22:37:28 -04:00 · 9aed7196fa
parent d2c3cae672
commit 9aed7196fa
1 changed files with 2 additions and 2 deletions
--- a/registry-token-server/src/main.go
+++ b/registry-token-server/src/main.go
@ -180,10 +180,10 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 	grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
 	for _, access := range requestedAccessList {
 		if access.Type == "repository" {
-			// filter access to repos if the user is not "admin"
+			// filter access to repos if the user is not "admin" or "sysinv"
 			// need to have a "/" at the end because it adds one at the beginning of the fcn
 			// probably to prevent people making accounts like "adminnot" to steal admin powers
-			if !strings.HasPrefix(access.Name, scope) && scope != "admin/" {
+			if !strings.HasPrefix(access.Name, scope) && scope != "admin/" && scope != "sysinv/" {
 				dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
 				continue
 			}