From 0d2658860d3e7661ac07e72c62774b0423b9f592 Mon Sep 17 00:00:00 2001 From: Boris Bobrov Date: Wed, 3 Jul 2024 16:35:33 +0200 Subject: [PATCH] Keystone: add back a check for domain id to list_projects API --- openstack/keystone/templates/etc/_policy.yaml.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/openstack/keystone/templates/etc/_policy.yaml.tpl b/openstack/keystone/templates/etc/_policy.yaml.tpl index 2548712bdf..0e1d1aea25 100644 --- a/openstack/keystone/templates/etc/_policy.yaml.tpl +++ b/openstack/keystone/templates/etc/_policy.yaml.tpl @@ -923,6 +923,7 @@ # Intended scope(s): system, domain #"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" "identity:list_projects": "rule:cloud_reader or + (role:reader and domain_id:%(target.domain_id)s) or (role:reader and domain_id:%(domain_id)s) or (role:reader and project_id:%(parent_id)s)"