a8fd8731d2
The same policy rule (os_compute_api:os-flavor-manage) is being used for the create and delete actions of the flavors REST API. It is thus impossible to provide different RBAC for the create and delete actions based on roles. To address this, changes are made to have separate policy rules for each action. Most other places in nova (and OpenStack in general) have separate policy rules for each action. This affords the ultimate flexibility to deployers, who can obviously use the same rule if that is what they want. To address backwards compatibility, the new rules added to the flavor_manage.py policy file, default to the existing rule (os_compute_api:os-flavor-manage). That way across upgrades this should ensure if an existing admin has customised the rule, it keeps working, but folks that know about the new setting can override the default rule. In addtion, a verify_deprecated_policy method is added to see if the old policy action is being configured instead of the new actions. Closes-Bug: #1675147 Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com> Change-Id: Ic67b52ebac3a47e9fb7e3c0d6c3ce8a6bc539e11 |
||
|---|---|---|
| .. | ||
| openstack | ||
| __init__.py | ||
| test_auth.py | ||
| test_compute_req_id.py | ||
| test_wsgi.py | ||