Browse Source

Change default policy to check service project and not role

In TripleO and devstack alike, service users are part of the "service"
project; while TripleO doesn't have a "service" role. So lets depend on
the project to enforce policy. This way this will still work out of the
box with TripleO.

Change-Id: I01cf7b38904bb0311658348dcdc0b0efd4f36c0e
Closes-Bug: #1812844
Juan Antonio Osorio Robles 2 months ago
parent
commit
5633d348e3
2 changed files with 7 additions and 5 deletions
  1. 3
    3
      novajoin/policy.py
  2. 4
    2
      novajoin/tests/unit/api/fakes.py

+ 3
- 3
novajoin/policy.py View File

@@ -33,10 +33,10 @@ _RULES = [
33 33
         'context_is_admin', 'role:admin',
34 34
         "Decides what is required for the 'is_admin:True' check to succeed."),
35 35
     policy.RuleDefault(
36
-        'service_role', 'role:service',
37
-        "service role"),
36
+        'service_project', 'project_name:service',
37
+        "service project"),
38 38
     policy.RuleDefault(
39
-        'compute_service_user', 'user_name:nova and rule:service_role',
39
+        'compute_service_user', 'user_name:nova and rule:service_project',
40 40
         "This is usualy the nova service user, which calls the novajoin API, "
41 41
         "configured in [vendordata_dynamic_auth] in nova.conf."),
42 42
     policy.DocumentedRuleDefault(

+ 4
- 2
novajoin/tests/unit/api/fakes.py View File

@@ -41,15 +41,17 @@ class HTTPRequest(webob.Request):
41 41
             out.environ['novajoin.context'] = FakeRequestContext(
42 42
                 user_id=fake.USER_ID,
43 43
                 user_name='nova',
44
-                roles=['service'],
44
+                roles=[],
45 45
                 project_id=fake.PROJECT_ID,
46
+                project_name='service',
46 47
                 is_admin=use_admin_context)
47 48
         else:
48 49
             out.environ['novajoin.context'] = FakeRequestContext(
49 50
                 user_id=fake.USER_ID,
50 51
                 user_name='not_nova',
51
-                roles=['not_service'],
52
+                roles=[],
52 53
                 project_id=fake.PROJECT_ID,
54
+                project_name='not_service',
53 55
                 is_admin=use_admin_context)
54 56
         out.api_version_request = Join(version)
55 57
         return out

Loading…
Cancel
Save