diff options
| author | Rabi Mishra <ramishra@redhat.com> | 2016-07-01 10:38:28 +0530 |
|---|---|---|
| committer | Rabi Mishra <ramishra@redhat.com> | 2016-08-12 04:52:38 +0000 |
| commit | 168a7797e5e7643141d81420ae248fbbbef6f9ef (patch) | |
| tree | aa86f77f4ef2643cad5fcfdb12e5428cdfdbb5e8 /etc | |
| parent | d019947962de56a18815a04d8197abc416478de5 (diff) | |
| download | heat-168a7797e5e7643141d81420ae248fbbbef6f9ef.tar.gz | |
Use is_admin_project from context
Now that oslo.context has been bumped to >=2.6.0,
we can use `is_admin_project` from the context which
is backward compatible.
This also adds a new rule `project_admin` to make
resource types accessible inline with current policy
of other services like nova, that are yet to use the
`is_admin_project` feature. Once those services start
using the is_admin_project feature, we can remove this.
Change-Id: I5be8176042f8839e86f77984222e7fac66dfaed6
Related-Bug: #1466694
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/heat/policy.json | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/etc/heat/policy.json b/etc/heat/policy.json index 89422e0b7..f114cab6f 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -1,5 +1,6 @@ { - "context_is_admin": "role:admin and auth_token_info.token.is_admin_project:True", + "context_is_admin": "role:admin and is_admin_project:True", + "project_admin": "role:admin", "deny_stack_user": "not role:heat_stack_user", "deny_everybody": "!", @@ -83,11 +84,11 @@ "service:index": "rule:context_is_admin", - "resource_types:OS::Nova::Flavor": "rule:context_is_admin", - "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", - "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", - "resource_types:OS::Manila::ShareType": "rule:context_is_admin", - "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", - "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", - "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" + "resource_types:OS::Nova::Flavor": "rule:project_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", + "resource_types:OS::Cinder::VolumeType": "rule:project_admin", + "resource_types:OS::Manila::ShareType": "rule:project_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", + "resource_types:OS::Nova::HostAggregate": "rule:project_admin" } |