openstack/heat
Code Issues Proposed changes

Remove SYSTEM scoped alias for RBAC

Browse Source 
System scoped has been dropped form the heat
policies
- I943b3c1ce021cc05445b73fbc342b8386cf5bf6a

but its aliais are not removed. Clean up them
to avoid any confusion of using system scope rules.

Change-Id: Ic909dd5d4b5eaefbfe93aee7a07bd1654dac1075
This commit is contained in:
Ghanshyam
2025-05-08 15:08:08 -07:00
parent 6b7b8bb8ea
commit ad13367fdf
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
heat/policies/base.py
View File

@@ -19,8 +19,6 @@ RULE_DENY_EVERYBODY = 'rule:deny_everybody'
RULE_ALLOW_EVERYBODY = 'rule:allow_everybody' RULE_ALLOW_EVERYBODY = 'rule:allow_everybody'
# Check strings that embody common personas # Check strings that embody common personas
SYSTEM_ADMIN = 'role:admin and system_scope:all'
SYSTEM_READER = 'role:reader and system_scope:all'
PROJECT_MEMBER = 'role:member and project_id:%(project_id)s' PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
PROJECT_READER = 'role:reader and project_id:%(project_id)s' PROJECT_READER = 'role:reader and project_id:%(project_id)s'
@@ -44,8 +42,7 @@ rules = [
policy.RuleDefault( policy.RuleDefault(
name="context_is_admin", name="context_is_admin",
check_str=( check_str=(
"(role:admin and is_admin_project:True) OR " "(role:admin and is_admin_project:True)"
"(" + SYSTEM_ADMIN + ")"
), ),
description="Decides what is required for the 'is_admin:True' check " description="Decides what is required for the 'is_admin:True' check "
"to succeed."), "to succeed."),