project scoped manager support
Adds support for project manager role support which is a state between project scoped admin and project scoped member. Finally enabling to be merged since the higher end goal/work finally merged on March 1st. Related: https://review.opendev.org/c/openstack/governance/+/815158 Change-Id: Ia35f4a4c3c2af68dc64bfe32f206e57056876dc7
This commit is contained in:
parent
4e6a3d52ed
commit
0311ea7c92
@ -62,6 +62,12 @@ Project Scoped
|
||||
Project scoped authentication is when a request token and associated records
|
||||
indicate an associated ``project_id`` value.
|
||||
|
||||
The Secure RBAC model, since the introduction of the base capability has been
|
||||
extended as a result of an OpenStack community goal to include a ``manager``
|
||||
role in the project scope. By default, this access is equivelent to a Project
|
||||
scoped ``admin`` user, however it may be delineated further as time moves
|
||||
forward.
|
||||
|
||||
Legacy Behavior
|
||||
---------------
|
||||
|
||||
|
@ -64,6 +64,13 @@ SYSTEM_READER = 'role:reader and system_scope:all'
|
||||
# default volume type for a project)
|
||||
PROJECT_ADMIN = ('role:admin and '
|
||||
'project_id:%(node.owner)s')
|
||||
# This check string is reserved for an intermediate point between
|
||||
# a Project Admin and a Project Member. This is an outcome of the
|
||||
# revised Yoga Secure RBAC community goal.
|
||||
# The advantage here may be that this rule *does* match against node owners
|
||||
# and lessees.
|
||||
PROJECT_MANAGER = ('role:manager and '
|
||||
'(project_id:%(node.owner)s or project_id:%(node.lessee)s)')
|
||||
# This check string is the primary use case for typical end-users, who are
|
||||
# working with resources that belong to a project (e.g., creating volumes and
|
||||
# backups).
|
||||
@ -88,24 +95,30 @@ SYSTEM_OR_PROJECT_READER = (
|
||||
)
|
||||
|
||||
PROJECT_OWNER_ADMIN = ('role:admin and project_id:%(node.owner)s')
|
||||
PROJECT_OWNER_MANAGER = ('role:manager and project_id:%(node.owner)s')
|
||||
PROJECT_OWNER_MEMBER = ('role:member and project_id:%(node.owner)s')
|
||||
PROJECT_OWNER_READER = ('role:reader and project_id:%(node.owner)s')
|
||||
PROJECT_LESSEE_ADMIN = ('role:admin and project_id:%(node.lessee)s')
|
||||
PROJECT_LESSEE_MANAGER = ('role:manager and project_id:%(node.lessee)s')
|
||||
|
||||
# Not used - Members can create/destroy their allocations.
|
||||
ALLOCATION_OWNER_ADMIN = ('role:admin and project_id:%(allocation.owner)s')
|
||||
# Not used - Members can create/destroy their allocations.
|
||||
ALLOCATION_OWNER_MANAGER = ('role:manager and project_id:%(allocation.owner)s')
|
||||
|
||||
ALLOCATION_OWNER_MEMBER = ('role:member and project_id:%(allocation.owner)s')
|
||||
ALLOCATION_OWNER_READER = ('role:reader and project_id:%(allocation.owner)s')
|
||||
|
||||
SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN = (
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_MEMBER + ') or (' + PROJECT_LESSEE_ADMIN + ')' # noqa
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_MEMBER + ') or (' + PROJECT_LESSEE_ADMIN + ') or (' + PROJECT_LESSEE_MANAGER + ')' # noqa
|
||||
)
|
||||
|
||||
SYSTEM_ADMIN_OR_OWNER_ADMIN = (
|
||||
'(' + SYSTEM_ADMIN + ') or (' + PROJECT_OWNER_ADMIN + ')'
|
||||
'(' + SYSTEM_ADMIN + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ')' # noqa
|
||||
)
|
||||
|
||||
SYSTEM_MEMBER_OR_OWNER_ADMIN = (
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ')'
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ')' # noqa
|
||||
)
|
||||
|
||||
SYSTEM_MEMBER_OR_OWNER_MEMBER = (
|
||||
@ -117,7 +130,7 @@ SYSTEM_OR_OWNER_READER = (
|
||||
)
|
||||
|
||||
SYSTEM_MEMBER_OR_OWNER_LESSEE_ADMIN = (
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_LESSEE_ADMIN + ')' # noqa
|
||||
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ') or (' + PROJECT_LESSEE_ADMIN + ') or (' + PROJECT_LESSEE_MANAGER + ')' # noqa
|
||||
)
|
||||
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds a default ``project`` scoped ``manager`` role to the RBAC model.
|
||||
In the ironic model, access is generally explicitly delegated, and such
|
||||
the ``manager`` role is presently equivelent to project scoped ``admin``
|
||||
role, however future delineation may occur as the new features and
|
||||
capabilities are added.
|
Loading…
x
Reference in New Issue
Block a user