openstack
/
panko
Code Issues Proposed changes

Add a system-reader check string to base.py 

This commit adds a new constant to base.py that models a common persona
being implemented across OpenStack called system-reader. We can use this
persona in future patches to update the default policies for the
appropriate APIs.

Change-Id: I12074fe328db71895bbdfda3c9e7c56cc6b6f40d
This commit is contained in:
Lance Bragstad 2020-12-01 14:35:41 +00:00
parent 6edbdfa296
commit 12c41a0a73
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
panko/policies/base.py
View File

@ -15,7 +15,14 @@ from oslo_policy import policy
ROLE_ADMIN = 'role:admin'
UNPROTECTED = ''
# This is a check string that represents a common persona for someone who has
# read-only access to the deployment, ultimately a subset of authorization for
# system users, or administrators.
SYSTEM_READER = 'role:admin and system_scope:all'
rules = [
# This can be removed once the deprecated policies in segregation.py have
# been removed.
policy.RuleDefault(
name='context_is_admin',
check_str=ROLE_ADMIN