Change default policy to check service project and not role
In TripleO and devstack alike, service users are part of the "service" project; while TripleO doesn't have a "service" role. So lets depend on the project to enforce policy. This way this will still work out of the box with TripleO. Change-Id: I01cf7b38904bb0311658348dcdc0b0efd4f36c0e Closes-Bug: #1812844
This commit is contained in:
parent
462305315c
commit
5633d348e3
|
@ -33,10 +33,10 @@ _RULES = [
|
|||
'context_is_admin', 'role:admin',
|
||||
"Decides what is required for the 'is_admin:True' check to succeed."),
|
||||
policy.RuleDefault(
|
||||
'service_role', 'role:service',
|
||||
"service role"),
|
||||
'service_project', 'project_name:service',
|
||||
"service project"),
|
||||
policy.RuleDefault(
|
||||
'compute_service_user', 'user_name:nova and rule:service_role',
|
||||
'compute_service_user', 'user_name:nova and rule:service_project',
|
||||
"This is usualy the nova service user, which calls the novajoin API, "
|
||||
"configured in [vendordata_dynamic_auth] in nova.conf."),
|
||||
policy.DocumentedRuleDefault(
|
||||
|
|
|
@ -41,15 +41,17 @@ class HTTPRequest(webob.Request):
|
|||
out.environ['novajoin.context'] = FakeRequestContext(
|
||||
user_id=fake.USER_ID,
|
||||
user_name='nova',
|
||||
roles=['service'],
|
||||
roles=[],
|
||||
project_id=fake.PROJECT_ID,
|
||||
project_name='service',
|
||||
is_admin=use_admin_context)
|
||||
else:
|
||||
out.environ['novajoin.context'] = FakeRequestContext(
|
||||
user_id=fake.USER_ID,
|
||||
user_name='not_nova',
|
||||
roles=['not_service'],
|
||||
roles=[],
|
||||
project_id=fake.PROJECT_ID,
|
||||
project_name='not_service',
|
||||
is_admin=use_admin_context)
|
||||
out.api_version_request = Join(version)
|
||||
return out
|
||||
|
|
Loading…
Reference in New Issue