This patch updates system-scoped policies to also accept project-admin
tokens so that operators can continue to use the "admin" role to access
system level APIs.
The protection test job is marked non-voting since tempest does not yet
expect these policy changes. A follow-up patch will make it voting
again after the test changes have merged into tempest.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582
This commit adds domain-scope to the scope_types for registered limit
policies, allowing domain users to access those API when enforce_scope
is enabled. This commit also introduces some tests that explicitly
show how domain users are expected to behave with the registered
limits API. A subsequent patch will do the same for project users.
Change-Id: I7a04e1e2fc585340c9e061c915461ab13b9abec2
Related-Bug: 1805880
A recent set of changes added a common role definition for system
administrators and system readers. Instead of rewriting the same thing
in each policy module, we can just reference a single consistent
string available in base.py.
Change-Id: I9de01478fe45a9935d901e4936f6c56bfceac6ae
This change makes the policy definitions for admin registered limit
operations consistent with the other registered limit
policies. Subsequent patches will incorporate:
- domain user test coverage
- project user test coverage
Change-Id: If0352220670fdf5c98d0820309817416466b1466
Related-Bug: 1805372
Related-Bug: 1805880
According to the API-WG's suggestion, the update registered
limit/project limit APIs should be refactored as:
1. Change PUT to PATCH
2. Remove batch update limits support for PATCH
Closes-Bug: #1754184
Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6
This commit lays down the policies needed to protect the unified limit
API. A subsequent patch will expose the implementation.
bp unified-limits
Change-Id: I952fe6213adce86a92d7d607c9b639076b279f6c
Douglas Mendizábal