Fix cluster template default policy

In Change I643d408cde0d6e30812cf6429fb7118184793400 a bunch of actions were changed from is_admin:True or project_id:%(project_id)s to rule:deny_cluster_user Which means that those actions are not verifying that the project ID of a token matches the project ID of the resource. This only seems to work for resources that a user can otherwise see. As public cluster templates can be seen by a user, a user is hence able to delete a CT. Fix it so that CT can only be modifiable or deletable by admin or owner. Story: 2008824 Task: 42289 Change-Id: I6dec817725338387a614f83e85a5f1f2814b020e
2021-09-06 20:49:01 +10:00 · 2021-09-06 20:49:01 +10:00 · 8ca92e6d70
parent 6951ac4fc6
commit 8ca92e6d70
1 changed files with 2 additions and 2 deletions
--- a/magnum/common/policies/cluster_template.py
+++ b/magnum/common/policies/cluster_template.py
@ -31,7 +31,7 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name=CLUSTER_TEMPLATE % 'delete',
-        check_str=base.RULE_DENY_CLUSTER_USER,
+        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Delete a cluster template.',
        operations=[
            {
@ -121,7 +121,7 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name=CLUSTER_TEMPLATE % 'update',
-        check_str=base.RULE_DENY_CLUSTER_USER,
+        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Update an existing cluster template.',
        operations=[
            {