Merge "Add scope_types to grant policies"

2018-01-26 21:48:27 +00:00 · 2018-01-26 21:48:27 +00:00 · 4031020150
parent a886dd256e 7dbf84c024
commit 4031020150
1 changed files with 16 additions and 0 deletions
--- a/keystone/common/policies/grant.py
+++ b/keystone/common/policies/grant.py
@ -59,6 +59,13 @@ grant_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'check_grant',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): A system administrator should be able to grant role
+        # assignments from any actor to any target in the deployment. Domain
+        # administrators should only be able to grant access to the domain they
+        # administer or projects within that domain. Once keystone is smart
+        # enough to enforce those checks in code, we can add 'project' to the
+        # list of scope_types below.
+        scope_types=['system'],
        description=('Check a role grant between a target and an actor. A '
                     'target can be either a domain or a project. An actor '
                     'can be either a user or a group. These terms also apply '
@ -69,6 +76,9 @@ grant_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_grants',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): See the above comment about scope_types before
+        # adding 'project' to scope_types below.
+        scope_types=['system'],
        description=('List roles granted to an actor on a target. A target '
                     'can be either a domain or a project. An actor can be '
                     'either a user or a group. For the OS-INHERIT APIs, it '
@ -79,6 +89,9 @@ grant_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_grant',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): See the above comment about scope_types before
+        # adding 'project' to scope_types below.
+        scope_types=['system'],
        description=('Create a role grant between a target and an actor. A '
                     'target can be either a domain or a project. An actor '
                     'can be either a user or a group. These terms also apply '
@ -89,6 +102,9 @@ grant_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'revoke_grant',
        check_str=base.RULE_ADMIN_REQUIRED,
+        # FIXME(lbragstad): See the above comment about scope_types before
+        # adding 'project' to scope_types below.
+        scope_types=['system'],
        description=('Revoke a role grant between a target and an actor. A '
                     'target can be either a domain or a project. An actor '
                     'can be either a user or a group. These terms also apply '