Fix cluster template default policy
In Change I643d408cde0d6e30812cf6429fb7118184793400 a bunch of actions were changed from is_admin:True or project_id:%(project_id)s to rule:deny_cluster_user Which means that those actions are not verifying that the project ID of a token matches the project ID of the resource. This only seems to work for resources that a user can otherwise see. As public cluster templates can be seen by a user, a user is hence able to delete a CT. Fix it so that CT can only be modifiable or deletable by admin or owner. Story: 2008824 Task: 42289 Change-Id: I6dec817725338387a614f83e85a5f1f2814b020e
This commit is contained in:
parent
6951ac4fc6
commit
8ca92e6d70
|
@ -31,7 +31,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'delete',
|
||||
check_str=base.RULE_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Delete a cluster template.',
|
||||
operations=[
|
||||
{
|
||||
|
@ -121,7 +121,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'update',
|
||||
check_str=base.RULE_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Update an existing cluster template.',
|
||||
operations=[
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue