diff options
| author | David Lyle <david.lyle@intel.com> | 2016-07-01 10:16:33 -0600 |
|---|---|---|
| committer | David Lyle <david.lyle@intel.com> | 2016-07-06 16:22:16 -0600 |
| commit | ac1ff6068b91bb67db0fdbe5ee9e99964237a83d (patch) | |
| tree | 1b3db9fa318f54181a302ca8e7d15798bf5a02e6 | |
| parent | 0afe75fabc4b3a1c9e9482099fad220008370167 (diff) | |
| download | django_openstack_auth-ac1ff6068b91bb67db0fdbe5ee9e99964237a83d.tar.gz | |
Adding tenant_id to policy default
The policy engine already automatically sets the target project_id
some policy files use tenant_id instead. See recent neutron policy
file. Also adding tenant_id to the credential list that is
populated.
Why this matters is that batch actions don't have data associated
with them when the policy checks are made so policy files that
use tenant_id instead of project_id will fail.
Closes-Bug: #1598242
Change-Id: I1b7c5c545852e76cbd46ece003ee9bbb0c19fdec
| -rw-r--r-- | openstack_auth/policy.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index ec10fbb..3047a90 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -121,6 +121,8 @@ def check(actions, request, target=None): # the service APIs will correct us if we are too permissive. if target.get('project_id') is None: target['project_id'] = user.project_id + if target.get('tenant_id') is None: + target['tenant_id'] = target['project_id'] # same for user_id if target.get('user_id') is None: target['user_id'] = user.id @@ -187,6 +189,7 @@ def _user_to_credentials(user): 'token': user.token, 'username': user.username, 'project_id': user.project_id, + 'tenant_id': user.project_id, 'project_name': user.project_name, 'domain_id': user.user_domain_id, 'is_admin': user.is_superuser, |