Without this change, policy enforcement for the DELETE
/OS-TRUST/trusts/{trust_id} API is hardcoded in the flask dispatcher
code. This is a problem because this enforcement can't be controlled by
the operator, as is the norm. Moreover, it makes the transition to
system-scope and default-roles-aware policies more difficult because
there's no sensible migration from "" to a logical role-based check
string.
This converts the hardcoded enforcement to enforcement via default
policies for DELETE /OS-TRUST/trusts/{trust_id}. Currently only the
trustor or the is_admin user can access this API (since the is_admin
user bypasses the policy loading). This behavior will be changed in a
future patch that will allow the system admin to access this API.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Reviewed: https:/ /review. opendev. org/676277 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=a09163a3202 c32f05cf636559a 95fe45c6ea272b
Committed: https:/
Submitter: Zuul
Branch: master
commit a09163a3202c32f 05cf636559a95fe 45c6ea272b
Author: Colleen Murphy <email address hidden>
Date: Tue Aug 13 13:09:41 2019 -0700
Move delete_trust enforcement to default policies
Without this change, policy enforcement for the DELETE TRUST/trusts/ {trust_ id} API is hardcoded in the flask dispatcher
/OS-
code. This is a problem because this enforcement can't be controlled by
the operator, as is the norm. Moreover, it makes the transition to
system-scope and default-roles-aware policies more difficult because
there's no sensible migration from "" to a logical role-based check
string.
This converts the hardcoded enforcement to enforcement via default trusts/ {trust_ id}. Currently only the
policies for DELETE /OS-TRUST/
trustor or the is_admin user can access this API (since the is_admin
user bypasses the policy loading). This behavior will be changed in a
future patch that will allow the system admin to access this API.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Change-Id: I1aaba72b69b389 ffbfcf7d5b8cc70 453ffa59e73
Partial-bug: #1818850
Partial-bug: #1818846