This change adds tests cases for the default roles
keystone supports at install time. It also modifies
the policies for the role_assignments API to be more
self-service by properly checking for scopes if accessed
with a domain-scoped tokens. This gives domain users the
power to query role assignments within the domain they
have authorization on without exposing other assignment
information in the deployment, domains, or projects.
Subsequent patches will:
- add functionality for domain members
- add functionality for domain admins
- add functionality for project readers
- add functionality for project members
- add functionality for project admins
- remove the obsolete policies from policy.v3cloudsample.json
Reviewed: https:/ /review. openstack. org/638587 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=425d48ec0aa 44b46c628d8c238 bcf97f315d0f05
Committed: https:/
Submitter: Zuul
Branch: master
commit 425d48ec0aa44b4 6c628d8c238bcf9 7f315d0f05
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 00:51:40 2019 +0530
Implement domain reader for role_assignments
This change adds tests cases for the default roles
keystone supports at install time. It also modifies
the policies for the role_assignments API to be more
self-service by properly checking for scopes if accessed
with a domain-scoped tokens. This gives domain users the
power to query role assignments within the domain they
have authorization on without exposing other assignment
information in the deployment, domains, or projects.
Subsequent patches will:
- add functionality for domain members v3cloudsample. json
- add functionality for domain admins
- add functionality for project readers
- add functionality for project members
- add functionality for project admins
- remove the obsolete policies from policy.
Co-Authored-By: Lance Bragstad <email address hidden>
Partial-Bug: 1750673 83e2589f0d9121e 93c97fb13e4
Change-Id: I0c6d202a315d46