diff options
Diffstat (limited to 'nova/policies/server_external_events.py')
-rw-r--r-- | nova/policies/server_external_events.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/nova/policies/server_external_events.py b/nova/policies/server_external_events.py index bd9a21aea0..56034d0186 100644 --- a/nova/policies/server_external_events.py +++ b/nova/policies/server_external_events.py @@ -24,7 +24,15 @@ POLICY_ROOT = 'os_compute_api:os-server-external-events:%s' server_external_events_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.SYSTEM_ADMIN, + # TODO(gmann): This is internal API policy and supposed to be called + # by neutron, cinder, ironic, and cyborg (may be other openstack + # services in future). Add 'service' role in this policy so that + # neutron can call it with user having 'service' role (not having + # server's project_id). That is for phase-2 of RBAC goal and until + # then, we keep it open for all admin in any project. We cannot + # default it to ADMIN which has the project_id in + # check_str and will fail if neutron call it with other project_id. + check_str=base.ADMIN, description="Create one or more external events", operations=[ { @@ -32,7 +40,7 @@ server_external_events_policies = [ 'path': '/os-server-external-events' } ], - scope_types=['system']), + scope_types=['project']), ] |