Andrew Bogott has submitted this change and it was merged.
Change subject: Update designate policy.conf
......................................................................
Update designate policy.conf
Most actions now require admin or projectadmin. A few read-only
actions have loosened policies, allowing any project member.
Bug: T126765
Change-Id: I238c8d7d0aad95b3af3f7d20a7f065a7846ce91b
---
M modules/openstack/files/kilo/designate/policy.json
1 file changed, 37 insertions(+), 36 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/openstack/files/kilo/designate/policy.json
b/modules/openstack/files/kilo/designate/policy.json
index 9d96379..196b31c 100644
--- a/modules/openstack/files/kilo/designate/policy.json
+++ b/modules/openstack/files/kilo/designate/policy.json
@@ -1,59 +1,60 @@
{
"admin": "role:admin or is_admin:True",
- "owner": "tenant:%(tenant_id)s",
- "admin_or_owner": "rule:admin or rule:owner",
+ "member": "tenant:%(tenant_id)s",
+ "admin_or_member": "rule:admin or rule:member",
+ "admin_or_projectadmin": "rule:admin or role:projectadmin",
"target": "tenant:%(target_tenant_id)s",
- "owner_or_target":"rule:target or rule:owner",
- "admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
+ "member_or_target":"rule:target or rule:member",
+ "admin_or_member_or_target":"rule:member_or_target or rule:admin",
"admin_or_target":"rule:admin or rule:target",
- "default": "rule:admin_or_owner",
+ "default": "rule:admin_or_projectadmin",
"all_tenants": "rule:admin",
"use_low_ttl": "rule:admin",
- "get_quotas": "rule:admin_or_owner",
- "get_quota": "rule:admin_or_owner",
+ "get_quotas": "rule:admin_or_member",
+ "get_quota": "rule:admin_or_member",
"set_quota": "rule:admin",
"reset_quotas": "rule:admin",
"create_tld": "rule:admin",
"find_tlds": "rule:admin",
- "get_tld": "rule:admin",
+ "get_tld": "rule:admin_or_member",
"update_tld": "rule:admin",
"delete_tld": "rule:admin",
"create_tsigkey": "rule:admin",
"find_tsigkeys": "rule:admin",
- "get_tsigkey": "rule:admin",
+ "get_tsigkey": "rule:admin_or_member",
"update_tsigkey": "rule:admin",
"delete_tsigkey": "rule:admin",
- "find_tenants": "rule:admin",
- "get_tenant": "rule:admin",
+ "find_tenants": "rule:admin_or_member",
+ "get_tenant": "rule:admin_or_member",
"count_tenants": "rule:admin",
- "create_domain": "rule:admin_or_owner",
- "get_domains": "rule:admin_or_owner",
- "get_domain": "rule:admin_or_owner",
- "get_domain_servers": "rule:admin_or_owner",
- "find_domains": "rule:admin_or_owner",
- "find_domain": "rule:admin_or_owner",
- "update_domain": "rule:admin_or_owner",
- "delete_domain": "rule:admin_or_owner",
+ "create_domain": "rule:admin_or_projectadmin",
+ "get_domains": "rule:admin_or_member",
+ "get_domain": "rule:admin_or_member",
+ "get_domain_servers": "rule:admin_or_member",
+ "find_domains": "rule:admin_or_projectadmin",
+ "find_domain": "rule:admin_or_projectadmin",
+ "update_domain": "rule:admin_or_projectadmin",
+ "delete_domain": "rule:admin_or_projectadmin",
"abandon_domain": "rule:admin",
- "count_domains": "rule:admin_or_owner",
- "touch_domain": "rule:admin_or_owner",
+ "count_domains": "rule:admin_or_projectadmin",
+ "touch_domain": "rule:admin_or_projectadmin",
- "create_record": "rule:admin_or_owner",
- "get_records": "rule:admin_or_owner",
- "get_record": "rule:admin_or_owner",
- "find_records": "rule:admin_or_owner",
- "find_record": "rule:admin_or_owner",
- "update_record": "rule:admin_or_owner",
- "delete_record": "rule:admin_or_owner",
- "count_records": "rule:admin_or_owner",
+ "create_record": "rule:admin_or_projectadmin",
+ "get_records": "rule:admin_or_member",
+ "get_record": "rule:admin_or_member",
+ "find_records": "rule:admin_or_projectadmin",
+ "find_record": "rule:admin_or_projectadmin",
+ "update_record": "rule:admin_or_projectadmin",
+ "delete_record": "rule:admin_or_projectadmin",
+ "count_records": "rule:admin_or_projectadmin",
"use_sudo": "rule:admin",
@@ -77,16 +78,16 @@
"diagnostics_sync_domain": "rule:admin",
"diagnostics_sync_record": "rule:admin",
- "create_zone_transfer_request": "rule:admin_or_owner",
- "get_zone_transfer_request": "rule:admin_or_owner or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
- "get_zone_transfer_request_detailed": "rule:admin_or_owner",
+ "create_zone_transfer_request": "rule:admin_or_projectadmin",
+ "get_zone_transfer_request": "rule:admin_or_projectadmin or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
+ "get_zone_transfer_request_detailed": "rule:admin_or_projectadmin",
"find_zone_transfer_requests": "@",
"find_zone_transfer_request": "@",
- "update_zone_transfer_request": "rule:admin_or_owner",
- "delete_zone_transfer_request": "rule:admin_or_owner",
+ "update_zone_transfer_request": "rule:admin_or_projectadmin",
+ "delete_zone_transfer_request": "rule:admin_or_projectadmin",
- "create_zone_transfer_accept": "rule:admin_or_owner or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
- "get_zone_transfer_accept": "rule:admin_or_owner",
+ "create_zone_transfer_accept": "rule:admin_or_projectadmin or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
+ "get_zone_transfer_accept": "rule:admin_or_projectadmin",
"find_zone_transfer_accepts": "rule:admin",
"find_zone_transfer_accept": "rule:admin",
"update_zone_transfer_accept": "rule:admin",
--
To view, visit https://gerrit.wikimedia.org/r/270809
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I238c8d7d0aad95b3af3f7d20a7f065a7846ce91b
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
