From ac1ff6068b91bb67db0fdbe5ee9e99964237a83d Mon Sep 17 00:00:00 2001
From: David Lyle <david.lyle@intel.com>
Date: Fri, 1 Jul 2016 10:16:33 -0600
Subject: Adding tenant_id to policy default

The policy engine already automatically sets the target project_id
some policy files use tenant_id instead. See recent neutron policy
file. Also adding tenant_id to the credential list that is
populated.

Why this matters is that batch actions don't have data associated
with them when the policy checks are made so policy files that
use tenant_id instead of project_id will fail.

Closes-Bug: #1598242
Change-Id: I1b7c5c545852e76cbd46ece003ee9bbb0c19fdec
---
 openstack_auth/policy.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py
index ec10fbb..3047a90 100644
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@@ -121,6 +121,8 @@ def check(actions, request, target=None):
     # the service APIs will correct us if we are too permissive.
     if target.get('project_id') is None:
         target['project_id'] = user.project_id
+    if target.get('tenant_id') is None:
+        target['tenant_id'] = target['project_id']
     # same for user_id
     if target.get('user_id') is None:
         target['user_id'] = user.id
@@ -187,6 +189,7 @@ def _user_to_credentials(user):
                              'token': user.token,
                              'username': user.username,
                              'project_id': user.project_id,
+                             'tenant_id': user.project_id,
                              'project_name': user.project_name,
                              'domain_id': user.user_domain_id,
                              'is_admin': user.is_superuser,
-- 
cgit v1.2.1