trivial: Fix policy scope restriction for automated cleaning
By default, the decision if to clean is a "system" decision, and not necessarilly a "user" or "operator" decision. However some operators may choose to have custom policies to enable specific tenants to have additional rights without granting special system scoped users. This change just changes the labeling on the default rule to permit it to match a project scoped user while leaving the default rule in place. This slightly changes the resulting error, but doesn't change the error code, and enables operators to run with custom rules for this entry. Change-Id: Ie963abcbff079664b8407499c3e943ad3fd8f315
This commit is contained in:
parent
21d6133fa1
commit
ffecec3c55
@ -1002,7 +1002,7 @@ node_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:disable_cleaning',
|
||||
check_str=SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
scope_types=['system', 'project'],
|
||||
description='Disable Node disk cleaning',
|
||||
operations=[
|
||||
{'path': '/nodes/{node_ident}', 'method': 'PATCH'}
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes the policy scope checking for the RBAC Policy
|
||||
``baremetal:node:disable_cleaning``, which previously
|
||||
restricted to ``system`` user scope. The scope restriction
|
||||
has been revised to permit ``project`` scoped matching,
|
||||
but the default RBAC policy has not been revised.
|
Loading…
x
Reference in New Issue
Block a user