Allow domain admin to view roles

Domain admins are allowed to assign roles. So it should be allowed to view roles. Note that protection job is made non-voting until the domain admin role test cases are updated. Closes-Bug: #2059780 Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
2024-03-29 23:32:48 +09:00 · 2024-03-29 23:32:48 +09:00 · 522627de3c
parent 7a6e1a0bdc
commit 522627de3c
2 changed files with 6 additions and 4 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -193,7 +193,8 @@
            irrelevant-files: *tempest-irrelevant-files
        - tempest-ipv6-only:
            irrelevant-files: *tempest-irrelevant-files
-        - keystone-protection-functional
+        - keystone-protection-functional:
+            voting: false
    gate:
      jobs:
        - keystone-tox-py310-with-sqlalchemy-2x
@ -207,7 +208,8 @@
            irrelevant-files: *tempest-irrelevant-files
        - tempest-ipv6-only:
            irrelevant-files: *tempest-irrelevant-files
-        - keystone-protection-functional
+        - keystone-protection-functional:
+            voting: false
    experimental:
      jobs:
        - keystone-tox-patch_cover
--- a/keystone/common/policies/role.py
+++ b/keystone/common/policies/role.py
@ -85,7 +85,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_role',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Show role details.',
        operations=[{'path': '/v3/roles/{role_id}',
                     'method': 'GET'},
@ -95,7 +95,7 @@ role_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles',
        check_str=base.RULE_ADMIN_OR_SYSTEM_READER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='List roles.',
        operations=[{'path': '/v3/roles',
                     'method': 'GET'},