more fine tuning

* Add the other hosts * Update keystone policy override to mimic default plus addition * nova policy extra line
2022-11-03 07:56:38 +00:00 · 2022-11-03 07:56:38 +00:00 · 1e56ae1ff6
commit 1e56ae1ff6
parent 569f9ca858
3 changed files with 7 additions and 1 deletions
--- a/resources/keystone.yaml
+++ b/resources/keystone.yaml
@ -1,4 +1,6 @@
 # default rules
 # https://docs.openstack.org/keystone/ussuri/configuration/policy.html

-"identity:update_user": "rule:admin_or_owner"
+context_is_tenantLead: role:tenantLead
+
+identity:update_user: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) or (rule:context_is_tenantLead and project_id:%(target.project.id)s)
--- a/resources/nova.yaml
+++ b/resources/nova.yaml
@ -2,6 +2,7 @@
 # https://docs.openstack.org/nova/ussuri/configuration/policy.html

 context_is_tenantLead: role:tenantLead
+
 os_compute_api:os-admin-actions:reset_state: rule:context_is_tenantLead or rule:system_admin_api
 os_compute_api:os-aggregates:index: rule:context_is_tenantLead or rule:system_reader_api
 os_compute_api:os-aggregates:show: rule:context_is_tenantLead or rule:system_reader_api
--- a/scripts/post-deployment/hosts
+++ b/scripts/post-deployment/hosts
@ -8,3 +8,6 @@
 10.0.1.218 neutron.example.com
 10.0.1.219 nova.example.com
 10.0.1.220 gnocchi.example.com
+10.0.1.221 contrail.example.com
+10.0.1.222 placement.example.com
+10.0.1.223 placement.example.com