Remove unused policy rule for Certificate APIs
Cluster user is no longer used for drivers in Magnum since [1]. Remove unused policy rule to reflect that fix. [1] https://review.opendev.org/c/openstack/magnum/+/889144 Change-Id: Ic7ef89a61835a7045d81dbf5af77714a3270cd7c
This commit is contained in:
ricolin
parent
f87636e076
commit
0ff50c542e
|
|
@ -47,8 +47,8 @@ RULE_PROJECT_READER_DENY_CLUSTER_USER = (
|
|||
'rule:project_reader_deny_cluster_user')
|
||||
RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER = (
|
||||
'rule:admin_or_project_reader_deny_cluster_user')
|
||||
RULE_ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER = (
|
||||
'rule:admin_or_project_reader_user_or_cluster_user')
|
||||
RULE_ADMIN_OR_PROJECT_READER_USER = (
|
||||
'rule:admin_or_project_reader_user')
|
||||
|
||||
# ==========================================================
|
||||
# Deprecated Since OpenStack 2023.2(Magnum 17.0.0) and should be removed in
|
||||
|
|
@ -85,6 +85,13 @@ DEPRECATED_RULE_ADMIN_OR_USER_OR_CLUSTER_USER = policy.DeprecatedRule(
|
|||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=DEPRECATED_SINCE
|
||||
)
|
||||
|
||||
DEPRECATED_RULE_ADMIN_OR_USER = policy.DeprecatedRule(
|
||||
name=RULE_ADMIN_OR_USER,
|
||||
check_str=f"(({RULE_ADMIN_API}) or ({RULE_USER}))",
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=DEPRECATED_SINCE
|
||||
)
|
||||
# ==========================================================
|
||||
|
||||
rules = [
|
||||
|
|
@ -135,7 +142,8 @@ rules = [
|
|||
check_str=(
|
||||
f"({RULE_ADMIN_API}) or (({RULE_PROJECT_MEMBER}) and "
|
||||
f"({RULE_USER}))"
|
||||
)
|
||||
),
|
||||
deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='user_or_cluster_user',
|
||||
|
|
@ -193,12 +201,12 @@ rules = [
|
|||
deprecated_rule=DEPRECATED_DENY_CLUSTER_USER
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_or_project_reader_user_or_cluster_user',
|
||||
name='admin_or_project_reader_user',
|
||||
check_str=(
|
||||
f"({RULE_ADMIN_API}) or (({RULE_PROJECT_READER}) and "
|
||||
f"({RULE_USER_OR_CLUSTER_USER}))"
|
||||
f"({RULE_USER}))"
|
||||
),
|
||||
deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER_OR_CLUSTER_USER
|
||||
deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER
|
||||
),
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ CERTIFICATE = 'certificate:%s'
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CERTIFICATE % 'create',
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_USER,
|
||||
scope_types=["project"],
|
||||
description='Sign a new certificate by the CA.',
|
||||
operations=[
|
||||
|
|
@ -32,7 +32,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CERTIFICATE % 'get',
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve CA information about the given cluster.',
|
||||
operations=[
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Remove checking cluster user from rules in default policy for
|
||||
Certificate APIs to reflect recent fixes
|
||||
(https://review.opendev.org/c/openstack/magnum/+/889144).
|
||||
Loading…
Reference in New Issue