Fix designate sRBAC overrides

The enable-secure-rbac.yaml overrides for designate have some bugs. This patch corrects those to be more in line with the defaults in code for new defaults and no scoped tokens. Change-Id: I274c7f5144c07287a909a2f51fd755727b9f27bc
2023-07-07 23:16:36 +00:00 · 2023-07-07 23:16:36 +00:00 · 21d9156371
commit 21d9156371
parent 3aca6591c9
1 changed files with 5 additions and 5 deletions
--- a/environments/enable-secure-rbac.yaml
+++ b/environments/enable-secure-rbac.yaml
@ -1674,7 +1674,7 @@ parameter_defaults:
      value: "role:reader"
    designate-get_blacklist:
      key: "get_blacklist"
-      value: "role:reader"
+      value: "role:admin"
    designate-update_blacklist:
      key: "update_blacklist"
      value: "role:admin"
@ -1755,7 +1755,7 @@ parameter_defaults:
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_recordset:
      key: "get_recordset"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_recordset:
      key: "find_recordset"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
@ -1827,13 +1827,13 @@ parameter_defaults:
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone:
      key: "get_zone"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-get_zone_servers:
      key: "get_zone_servers"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_ns_records:
      key: "get_zone_ns_records"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_zones:
      key: "find_zones"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
@ -1899,7 +1899,7 @@ parameter_defaults:
      value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
    designate-get_zone_transfer_accept:
      key: "get_zone_transfer_accept"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_zone_transfer_accepts:
      key: "find_zone_transfer_accepts"
      value: "role:admin"