File 0002-Enable-cloud_admin-to-list-projects-in-all-domains.patch of Package openstack-keystone

From 48708993f2782cbbf26ce9bcc904f4118fa3601a Mon Sep 17 00:00:00 2001
From: Takashi NATSUME <natsume.takashi@lab.ntt.co.jp>
Date: Thu, 13 Nov 2014 13:17:32 +0900
Subject: [PATCH 2/2] Enable cloud_admin to list projects in all domains

This patch enables the cloud_admin to get the list of projects
in all domains by default(in 'policy.v3cloudsample.json').

Change-Id: I117c0a78ec0f4cb943c0a7c3cc7aeb271e9203fe
Closes-Bug: 1392155
(cherry picked from commit d02035f57cbc3d869db4c6d56a557b096fdbc4a8)
---
 etc/policy.v3cloudsample.json        |  2 +-
 keystone/tests/test_v3_protection.py | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index ced0c96..bf44cc8 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -37,7 +37,7 @@
     "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
     "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
+    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
     "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
     "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
     "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
diff --git a/keystone/tests/test_v3_protection.py b/keystone/tests/test_v3_protection.py
index f06ecff..79662b8 100644
--- a/keystone/tests/test_v3_protection.py
+++ b/keystone/tests/test_v3_protection.py
@@ -587,6 +587,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
 
         self._test_project_management(self.domainA['id'])
 
+    def test_project_management_by_cloud_admin(self):
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            domain_id=self.admin_domain['id'])
+
+        # Check whether cloud admin can operate a domain
+        # other than its own domain or not
+        self._test_project_management(self.domainA['id'])
+
     def test_domain_grants(self):
         self.auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
-- 
2.3.7

openSUSE Build Service is sponsored by