openstack
/
cinder
Code Issues Proposed changes

Admin API policy enforcement contingent on is_admin_project 

In order for a user with the admin role to be able to perform
administrative actions, the role must be assigned to a project
that is deemed the "admin" project in the Keystone server. This
prevents someone being assigned admin on some random project
from being admin everywhere.

Change-Id: Ic4294cc1746702c345259c64bad1e20675a7d9ab
Closes-Bug: 968696
This commit is contained in:
Adam Young 2016-10-10 13:41:52 -04:00 committed by ayoung
parent 366acd02b4
commit da0ea57d7e
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
etc/cinder/policy.json
View File

@ -1,9 +1,8 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
"volume:create": "",
"volume:delete": "rule:admin_or_owner",