File 0002-Enable-cloud_admin-to-list-projects-in-all-domains.patch of Package openstack-keystone
From 48708993f2782cbbf26ce9bcc904f4118fa3601a Mon Sep 17 00:00:00 2001
From: Takashi NATSUME <natsume.takashi@lab.ntt.co.jp>
Date: Thu, 13 Nov 2014 13:17:32 +0900
Subject: [PATCH 2/2] Enable cloud_admin to list projects in all domains
This patch enables the cloud_admin to get the list of projects
in all domains by default(in 'policy.v3cloudsample.json').
Change-Id: I117c0a78ec0f4cb943c0a7c3cc7aeb271e9203fe
Closes-Bug: 1392155
(cherry picked from commit d02035f57cbc3d869db4c6d56a557b096fdbc4a8)
---
etc/policy.v3cloudsample.json | 2 +-
keystone/tests/test_v3_protection.py | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index ced0c96..bf44cc8 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -37,7 +37,7 @@
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
- "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
+ "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
diff --git a/keystone/tests/test_v3_protection.py b/keystone/tests/test_v3_protection.py
index f06ecff..79662b8 100644
--- a/keystone/tests/test_v3_protection.py
+++ b/keystone/tests/test_v3_protection.py
@@ -587,6 +587,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self._test_project_management(self.domainA['id'])
+ def test_project_management_by_cloud_admin(self):
+ self.auth = self.build_authentication_request(
+ user_id=self.cloud_admin_user['id'],
+ password=self.cloud_admin_user['password'],
+ domain_id=self.admin_domain['id'])
+
+ # Check whether cloud admin can operate a domain
+ # other than its own domain or not
+ self._test_project_management(self.domainA['id'])
+
def test_domain_grants(self):
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
--
2.3.7