Admin API policy enforcement contingent on is_admin_project
In order for a user with the admin role to be able to perform administrative actions, the role must be assigned to a project that is deemed the "admin" project in the Keystone server. This prevents someone being assigned admin on some random project from being admin everywhere. Change-Id: Ic4294cc1746702c345259c64bad1e20675a7d9ab Closes-Bug: 968696
This commit is contained in:
parent
366acd02b4
commit
da0ea57d7e
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"admin_api": "is_admin:True",
|
||||
"admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
|
||||
|
||||
"volume:create": "",
|
||||
"volume:delete": "rule:admin_or_owner",
|
||||
|
|
Loading…
Reference in New Issue