diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2018-12-06 20:50:28 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2019-03-19 22:34:15 +0000 |
commit | cf1ce4eb36393cedadb2de2aeba8140c65e09775 (patch) | |
tree | 3e220e02ce27f3a0c457028debeab0c0ecc6f787 /keystone/api/users.py | |
parent | 9ca599e50610fadc60e1b05c1af37044916575c5 (diff) | |
download | keystone-cf1ce4eb36393cedadb2de2aeba8140c65e09775.tar.gz |
Implement domain admin functionality for user API
This commit add explicit testing to show how users with the admin role
on a domain can manage users within thier domain. It also modifies the
default policies to account for this functionality. A subsequent patch
will do the same for project users.
Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
Partial-Bug: 1748027
Partial-Bug: 968696
Diffstat (limited to 'keystone/api/users.py')
-rw-r--r-- | keystone/api/users.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/keystone/api/users.py b/keystone/api/users.py index f31b5bf32..7009c8714 100644 --- a/keystone/api/users.py +++ b/keystone/api/users.py @@ -181,8 +181,11 @@ class UserResource(ks_flask.ResourceBase): POST /v3/users """ - ENFORCER.enforce_call(action='identity:create_user') user_data = self.request_body_json.get('user', {}) + target = {'user': user_data} + ENFORCER.enforce_call( + action='identity:create_user', target_attr=target + ) validation.lazy_validate(schema.user_create, user_data) user_data = self._normalize_dict(user_data) user_data = self._normalize_domain_id(user_data) @@ -196,7 +199,11 @@ class UserResource(ks_flask.ResourceBase): PATCH /v3/users/{user_id} """ - ENFORCER.enforce_call(action='identity:update_user') + ENFORCER.enforce_call( + action='identity:update_user', + build_target=_build_user_target_enforcement + ) + PROVIDERS.identity_api.get_user(user_id) user_data = self.request_body_json.get('user', {}) validation.lazy_validate(schema.user_update, user_data) self._require_matching_id(user_data) |