This is what we decided while implementing project persona during wallaby that the project-admin persona is still reserved for administrative APIs access for system administrators/operators. This will remain the case until we can refactor portions of glance to make it easier to implement system-scope.
These are effectively what we currently consider to be "admin" today, which is "can do anything." These are testing those assumptions today, which before RBAC changes, are true. The FIXME comments in these tests describe what will need to change when this class is actually scoped to just admin-of-a-project. In effect, the SystemAdminTests above (currently disabled) will validate the actual can-do-anything admin after that is enabled, when these change to just assert what we expect a project admin to do.
This is what we decided while implementing project persona during wallaby that the project-admin persona is still reserved for administrative APIs access for system administrators/ operators. This will remain the case until we can refactor portions of glance to make it easier to implement system-scope.
https:/ /review. opendev. org/c/openstack /glance/ +/764754
Secure RBAC work is still experimented in Glance. So should we treat this bug as security? /github. com/openstack/ glance/ blob/master/ releasenotes/ notes/secure- rbac-project- personas- fb0d9792b9dc378 3.yaml
https:/
Just for reference;
https:/ /review. opendev. org/c/openstack /glance- tempest- plugin/ +/773568/ 25/glance_ tempest_ plugin/ tests/rbac/ v2/test_ images. py#576
These are effectively what we currently consider to be "admin" today, which is "can do anything." These are testing those assumptions today, which before RBAC changes, are true. The FIXME comments in these tests describe what will need to change when this class is actually scoped to just admin-of-a-project. In effect, the SystemAdminTests above (currently disabled) will validate the actual can-do-anything admin after that is enabled, when these change to just assert what we expect a project admin to do.