0012785501
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html There are two type of scope: 1. 'system': policy with 'system' scope means user with 'system-scoped' token have permission to access otherwise not. This scope type can be applied to API policies which need access permission at system level. 2. 'project': policy with 'project' scope means user with 'project-scoped' token have permission to access. This scope type can be applied to API policies which need access permission at project level. Any policy need permission for both scope 'system' and 'project' can be added with both scope, for example: scope_type['system', 'project'] This commit introduce scope_type for os-services API policies. All the os-service policy are scopped as 'system' because nova services operation should not be given access to project scopped token. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Ia6ad47e4e411c8c6f50c98807ee97f99297d97b8 |
||
---|---|---|
.. | ||
__init__.py | ||
base.py | ||
test_services.py |