Change default policy to check service project and not role
In TripleO and devstack alike, service users are part of the "service" project; while TripleO doesn't have a "service" role. So lets depend on the project to enforce policy. This way this will still work out of the box with TripleO. Change-Id: I01cf7b38904bb0311658348dcdc0b0efd4f36c0e Closes-Bug: #1812844
This commit is contained in:
parent
462305315c
commit
5633d348e3
|
@ -33,10 +33,10 @@ _RULES = [
|
||||||
'context_is_admin', 'role:admin',
|
'context_is_admin', 'role:admin',
|
||||||
"Decides what is required for the 'is_admin:True' check to succeed."),
|
"Decides what is required for the 'is_admin:True' check to succeed."),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
'service_role', 'role:service',
|
'service_project', 'project_name:service',
|
||||||
"service role"),
|
"service project"),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
'compute_service_user', 'user_name:nova and rule:service_role',
|
'compute_service_user', 'user_name:nova and rule:service_project',
|
||||||
"This is usualy the nova service user, which calls the novajoin API, "
|
"This is usualy the nova service user, which calls the novajoin API, "
|
||||||
"configured in [vendordata_dynamic_auth] in nova.conf."),
|
"configured in [vendordata_dynamic_auth] in nova.conf."),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
|
|
@ -41,15 +41,17 @@ class HTTPRequest(webob.Request):
|
||||||
out.environ['novajoin.context'] = FakeRequestContext(
|
out.environ['novajoin.context'] = FakeRequestContext(
|
||||||
user_id=fake.USER_ID,
|
user_id=fake.USER_ID,
|
||||||
user_name='nova',
|
user_name='nova',
|
||||||
roles=['service'],
|
roles=[],
|
||||||
project_id=fake.PROJECT_ID,
|
project_id=fake.PROJECT_ID,
|
||||||
|
project_name='service',
|
||||||
is_admin=use_admin_context)
|
is_admin=use_admin_context)
|
||||||
else:
|
else:
|
||||||
out.environ['novajoin.context'] = FakeRequestContext(
|
out.environ['novajoin.context'] = FakeRequestContext(
|
||||||
user_id=fake.USER_ID,
|
user_id=fake.USER_ID,
|
||||||
user_name='not_nova',
|
user_name='not_nova',
|
||||||
roles=['not_service'],
|
roles=[],
|
||||||
project_id=fake.PROJECT_ID,
|
project_id=fake.PROJECT_ID,
|
||||||
|
project_name='not_service',
|
||||||
is_admin=use_admin_context)
|
is_admin=use_admin_context)
|
||||||
out.api_version_request = Join(version)
|
out.api_version_request = Join(version)
|
||||||
return out
|
return out
|
||||||
|
|
Loading…
Reference in New Issue