Merge "Add scope_types to grant policies"
This commit is contained in:
commit
4031020150
|
@ -59,6 +59,13 @@ grant_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'check_grant',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# FIXME(lbragstad): A system administrator should be able to grant role
|
||||
# assignments from any actor to any target in the deployment. Domain
|
||||
# administrators should only be able to grant access to the domain they
|
||||
# administer or projects within that domain. Once keystone is smart
|
||||
# enough to enforce those checks in code, we can add 'project' to the
|
||||
# list of scope_types below.
|
||||
scope_types=['system'],
|
||||
description=('Check a role grant between a target and an actor. A '
|
||||
'target can be either a domain or a project. An actor '
|
||||
'can be either a user or a group. These terms also apply '
|
||||
|
@ -69,6 +76,9 @@ grant_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_grants',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# FIXME(lbragstad): See the above comment about scope_types before
|
||||
# adding 'project' to scope_types below.
|
||||
scope_types=['system'],
|
||||
description=('List roles granted to an actor on a target. A target '
|
||||
'can be either a domain or a project. An actor can be '
|
||||
'either a user or a group. For the OS-INHERIT APIs, it '
|
||||
|
@ -79,6 +89,9 @@ grant_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_grant',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# FIXME(lbragstad): See the above comment about scope_types before
|
||||
# adding 'project' to scope_types below.
|
||||
scope_types=['system'],
|
||||
description=('Create a role grant between a target and an actor. A '
|
||||
'target can be either a domain or a project. An actor '
|
||||
'can be either a user or a group. These terms also apply '
|
||||
|
@ -89,6 +102,9 @@ grant_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'revoke_grant',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
# FIXME(lbragstad): See the above comment about scope_types before
|
||||
# adding 'project' to scope_types below.
|
||||
scope_types=['system'],
|
||||
description=('Revoke a role grant between a target and an actor. A '
|
||||
'target can be either a domain or a project. An actor '
|
||||
'can be either a user or a group. These terms also apply '
|
||||
|
|
Loading…
Reference in New Issue