Merge pull request #6764 from sapcc/keystone-subproject-management

Keystone: add back a check for domain id to list_projects API
sapcc · Jul 3, 2024 · dd6a1f4 · dd6a1f4
2 parents ecc4991 + 0d26588
commit dd6a1f4
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/openstack/keystone/templates/etc/_policy.yaml.tpl b/openstack/keystone/templates/etc/_policy.yaml.tpl
@@ -923,6 +923,7 @@
 # Intended scope(s): system, domain
 #"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
 "identity:list_projects": "rule:cloud_reader or
+  (role:reader and domain_id:%(target.domain_id)s) or
   (role:reader and domain_id:%(domain_id)s) or
   (role:reader and project_id:%(parent_id)s)"