Allow domain users to manage credentials

Credentials are associated with users so there is no reason we prevent domain users from accessing the resources. In some services like heat domain admin is used to generate keystone credentials and loosing the scope check is required to continue supporting such use case. Closes-Bug: #2062045 Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f (cherry picked from commit 5ead95ffcc)
2024-04-18 03:12:19 +09:00 · 2024-04-18 03:12:19 +09:00 · a13bec662e
parent 286e44cd19
commit a13bec662e
1 changed files with 5 additions and 5 deletions
--- a/keystone/common/policies/credential.py
+++ b/keystone/common/policies/credential.py
@ -55,7 +55,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'get_credential',
        check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Show credentials details.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'GET'}],
@ -64,7 +64,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_credentials',
        check_str=base.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='List credentials.',
        operations=[{'path': '/v3/credentials',
                     'method': 'GET'}],
@ -73,7 +73,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Create credential.',
        operations=[{'path': '/v3/credentials',
                     'method': 'POST'}],
@ -82,7 +82,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'update_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Update credential.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'PATCH'}],
@ -91,7 +91,7 @@ credential_policies = [
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_credential',
        check_str=base.ADMIN_OR_CRED_OWNER,
-        scope_types=['system', 'project'],
+        scope_types=['system', 'domain', 'project'],
        description='Delete credential.',
        operations=[{'path': '/v3/credentials/{credential_id}',
                     'method': 'DELETE'}],