diff options
Diffstat (limited to 'nova/policies/quota_sets.py')
-rw-r--r-- | nova/policies/quota_sets.py | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py index ac141a2c24..ae8c471f56 100644 --- a/nova/policies/quota_sets.py +++ b/nova/policies/quota_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s' quota_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Update the quotas", operations=[ { @@ -32,7 +32,7 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'defaults', check_str=base.RULE_ANY, @@ -43,10 +43,10 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}/defaults' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show a quota", operations=[ { @@ -54,10 +54,10 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Revert quotas to defaults", operations=[ { @@ -65,10 +65,13 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'detail', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + # TODO(gmann): Until we have domain admin or so to get other project's + # data, allow admin role(with scope check it will be project admin) to + # get other project quota. + check_str=base.PROJECT_READER_OR_ADMIN, description="Show the detail of quota", operations=[ { @@ -76,7 +79,7 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}/detail' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] |