[barbican] Question about container policy rule:container_acl_read

Krzysztof Pawłowski msciciel at msciciel.eu
Mon Apr 20 05:48:40 UTC 2020 

Hi,

I have a question about policy for container consumers. Am I correctly
understanding that the below policy in code should allow users with read
acl to create consumer for container?

    policy.DocumentedRuleDefault(
        name='consumers:post',
        check_str='rule:admin or rule:container_non_private_read or ' +
                  'rule:container_project_creator or ' +
                  'rule:container_project_admin or rule:container_acl_read',
        scope_types=[],
        description='Creates a consumer.',
        operations=[
            {
                'path': '/v1/containers/{container-id}/consumers',
                'method': 'POST'
            }
        ]
    ),

    policy.RuleDefault(
        name='container_acl_read',
        check_str="'read':%(target.container.read)s"),

It's not working for me and I want to be sure if I'm doing something wrong
or it's designed to work other ways. My current solution is below policy to
allow role 'creator' to update consumers:

{"consumers:post": "rule:admin or rule:creator or
rule:container_non_private_read or rule:container_project_creator or
rule:container_project_admin or rule:container_acl_read"}

Greets,
Krzysztof Pawłowski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200420/b14ae537/attachment-0001.html>

More information about the openstack-discuss mailing list