Fix self_owned_node policy check
When enabling scope enforcement, the self_owned_node check could generate a failure because the check internally can be touched by both a project scoped and system scoped endpoint. This change changes the tag in the policy so it doesn't prematurely return an error to the API consumer. Change-Id: I49e2f7f29eb98e5bb4e18614cea0aca726703f55
This commit is contained in:
parent
47b778977c
commit
9da6dfd73d
@ -464,7 +464,7 @@ node_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:node:create:self_owned_node',
|
name='baremetal:node:create:self_owned_node',
|
||||||
check_str=('(role:admin) or (role:service)'),
|
check_str=('(role:admin) or (role:service)'),
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description='Create node records which will be tracked '
|
description='Create node records which will be tracked '
|
||||||
'as owned by the associated user project.',
|
'as owned by the associated user project.',
|
||||||
operations=[{'path': '/nodes', 'method': 'POST'}],
|
operations=[{'path': '/nodes', 'method': 'POST'}],
|
||||||
@ -693,7 +693,7 @@ node_policies = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='baremetal:node:delete:self_owned_node',
|
name='baremetal:node:delete:self_owned_node',
|
||||||
check_str=PROJECT_ADMIN,
|
check_str=PROJECT_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['system', 'project'],
|
||||||
description='Delete node records which are associated with '
|
description='Delete node records which are associated with '
|
||||||
'the requesting project.',
|
'the requesting project.',
|
||||||
operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
|
operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes scope classification check with the "self_owned_node" policy
|
||||||
|
check where it was limited to check execution with only project
|
||||||
|
scoped, so system scoped users who ticked the policy endpoint would
|
||||||
|
basically get an incorrect error.
|
Loading…
Reference in New Issue
Block a user