Fixes policy rules in neutron containing the keyword tenant_id.
The owner policy in neutron's policy.json is "tenant_id:%(tenant_id)s".
Currently, the rbac_role_converter does not populate the target dict,
responsible for providing oslo policy with as much information
about the target or user performing an action as possible, with
the key 'tenant_id'. Consequently, the rules containing the format
outlined above fail.
This patch adds 'tenant_id' as well as 'network:tenant_id' to the
target dict, in order to work with neutron's policy.json.
Change-Id: Iecf30d714ed0e9ebde2bff6013551accdf250cef
Closes-Bug: #1661062
diff --git a/patrole_tempest_plugin/rbac_role_converter.py b/patrole_tempest_plugin/rbac_role_converter.py
index fb0d2fe..bc6e006 100644
--- a/patrole_tempest_plugin/rbac_role_converter.py
+++ b/patrole_tempest_plugin/rbac_role_converter.py
@@ -116,9 +116,8 @@
"name": role
}
],
- "project": {
- "id": self.tenant_id
- }
+ "project_id": self.tenant_id,
+ "tenant_id": self.tenant_id
}
}
return access_token
@@ -134,7 +133,6 @@
"""
access_data = copy.copy(access['token'])
access_data['roles'] = [role['name'] for role in access_data['roles']]
- access_data['project_id'] = access_data['project']['id']
access_data['is_admin'] = is_admin
# TODO(felipemonteiro): Dynamically calculate is_admin_project rather
# than hard-coding it to True. is_admin_project cannot be determined
@@ -148,7 +146,9 @@
o = Object()
o.rules = self.rules
- target = {"project_id": access_data['project_id']}
+ target = {"project_id": access_data['project_id'],
+ "tenant_id": access_data['project_id'],
+ "network:tenant_id": access_data['project_id']}
result = self._try_rule(apply_rule, target, access_data, o)
return result