Merge "Implement operator role RBAC for sw-manager"

2025-03-19 15:58:24 +00:00
parent 0da95aac50 924185d861
commit a91ea4c06f
7 changed files with 9 additions and 9 deletions
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/base.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/base.py
@@ -15,7 +15,7 @@
 # SPDX-License-Identifier: Apache-2.0

 ADMIN_IN_SYSTEM_PROJECTS = 'admin_in_system_projects'
-READER_IN_SYSTEM_PROJECTS = 'reader_in_system_projects'
+READER_OR_OPERATOR_IN_SYSTEM_PROJECTS = 'reader_or_operator_in_system_projects'


 class RuleDefault(object):
@@ -44,8 +44,8 @@ base_rules = [
        description="Generic rule for set-style requests",
    ),
    RuleDefault(
-        name=READER_IN_SYSTEM_PROJECTS,
-        check_str='role:reader and (project_name:admin or ' +
+        name=READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='(role:reader or role:operator) and (project_name:admin or ' +
                  'project_name:services)',
        description="Generic rule for get-style requests",
    )
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/fw_update_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/fw_update_strategy_policy.py
@@ -32,7 +32,7 @@ fw_update_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a fw_update_strategy",
    )
 ]
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/kube_rootca_update_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/kube_rootca_update_strategy_policy.py
@@ -32,7 +32,7 @@ kube_rootca_update_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a kube_rootca_update_strategy",
    )
 ]
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/kube_upgrade_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/kube_upgrade_strategy_policy.py
@@ -32,7 +32,7 @@ kube_upgrade_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a kube_upgrade_strategy",
    )
 ]
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/sw_patch_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/sw_patch_strategy_policy.py
@@ -32,7 +32,7 @@ sw_patch_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a sw_patch_strategy",
    )
 ]
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/sw_upgrade_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/sw_upgrade_strategy_policy.py
@@ -32,7 +32,7 @@ sw_upgrade_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a sw_upgrade_strategy",
    )
 ]
--- a/nfv/nfv-vim/nfv_vim/api/acl/policies/system_config_update_strategy_policy.py
+++ b/nfv/nfv-vim/nfv_vim/api/acl/policies/system_config_update_strategy_policy.py
@@ -32,7 +32,7 @@ system_config_update_strategy_rules = [
    ),
    base.RuleDefault(
        name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
        description="Get a system_config_update_strategy",
    )
 ]