Merge "Fix designate sRBAC overrides" into stable/wallaby

2023-07-13 04:16:51 +00:00 · 2023-07-13 04:16:51 +00:00 · 2dbbc7e84a
commit 2dbbc7e84a
parent 3253358852 21d9156371
1 changed files with 5 additions and 5 deletions
--- a/environments/enable-secure-rbac.yaml
+++ b/environments/enable-secure-rbac.yaml
@ -1674,7 +1674,7 @@ parameter_defaults:
      value: "role:reader"
    designate-get_blacklist:
      key: "get_blacklist"
-      value: "role:reader"
+      value: "role:admin"
    designate-update_blacklist:
      key: "update_blacklist"
      value: "role:admin"
@ -1755,7 +1755,7 @@ parameter_defaults:
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_recordset:
      key: "get_recordset"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_recordset:
      key: "find_recordset"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
@ -1827,13 +1827,13 @@ parameter_defaults:
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone:
      key: "get_zone"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-get_zone_servers:
      key: "get_zone_servers"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_ns_records:
      key: "get_zone_ns_records"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_zones:
      key: "find_zones"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
@ -1899,7 +1899,7 @@ parameter_defaults:
      value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
    designate-get_zone_transfer_accept:
      key: "get_zone_transfer_accept"
-      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
+      value: "(role:reader and project_id:%(project_id)s) or role:admin"
    designate-find_zone_transfer_accepts:
      key: "find_zone_transfer_accepts"
      value: "role:admin"