Allow domain admin to view roles

Domain admins are allowed to assign roles. So it should be allowed to view roles. Closes-Bug: #2059780 Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
2024-03-29 23:32:48 +09:00 · 2024-03-29 23:32:48 +09:00 · 9162501c5f
parent 7a6e1a0bdc
commit 9162501c5f
1 changed files with 2 additions and 2 deletions
--- a/keystone/common/policies/role.py
+++ b/keystone/common/policies/role.py
@ -85,7 +85,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_role',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Show role details.',
        operations=[{'path': '/v3/roles/{role_id}',
                     'method': 'GET'},
@ -95,7 +95,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='List roles.',
        operations=[{'path': '/v3/roles',
                     'method': 'GET'},