Allow domain admin to view roles
Domain admins are allowed to assign roles. So it should be allowed to view roles. Note that protection job is made non-voting until the domain admin role test cases are updated. Closes-Bug: #2059780 Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
This commit is contained in:
parent
7a6e1a0bdc
commit
522627de3c
|
@ -193,7 +193,8 @@
|
|||
irrelevant-files: *tempest-irrelevant-files
|
||||
- tempest-ipv6-only:
|
||||
irrelevant-files: *tempest-irrelevant-files
|
||||
- keystone-protection-functional
|
||||
- keystone-protection-functional:
|
||||
voting: false
|
||||
gate:
|
||||
jobs:
|
||||
- keystone-tox-py310-with-sqlalchemy-2x
|
||||
|
@ -207,7 +208,8 @@
|
|||
irrelevant-files: *tempest-irrelevant-files
|
||||
- tempest-ipv6-only:
|
||||
irrelevant-files: *tempest-irrelevant-files
|
||||
- keystone-protection-functional
|
||||
- keystone-protection-functional:
|
||||
voting: false
|
||||
experimental:
|
||||
jobs:
|
||||
- keystone-tox-patch_cover
|
||||
|
|
|
@ -85,7 +85,7 @@ role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'get_role',
|
||||
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='Show role details.',
|
||||
operations=[{'path': '/v3/roles/{role_id}',
|
||||
'method': 'GET'},
|
||||
|
@ -95,7 +95,7 @@ role_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_roles',
|
||||
check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['system', 'domain', 'project'],
|
||||
description='List roles.',
|
||||
operations=[{'path': '/v3/roles',
|
||||
'method': 'GET'},
|
||||
|
|
Loading…
Reference in New Issue