fix: sysadmin can override policy violation check

yunionio · Apr 29, 2020 · b1647e7 · b1647e7
1 parent 4d1b93e
commit b1647e7
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/pkg/keystone/models/policies.go b/pkg/keystone/models/policies.go
@@ -103,6 +103,9 @@ func (manager *SPolicyManager) FetchEnabledPolicies() ([]SPolicy, error) {
 }
 
 func validatePolicyVioldatePrivilege(userCred mcclient.TokenCredential, policy *rbacutils.SRbacPolicy) error {
+	if userCred.GetUserName() == api.SystemAdminUser && userCred.GetDomainId() == api.DEFAULT_DOMAIN_ID {
+		return nil
+	}
 	opsScope, opsPolicySet := policyman.PolicyManager.GetMatchedPolicySet(userCred)
 	if opsScope != rbacutils.ScopeSystem && policy.Scope.HigherThan(opsScope) {
 		return errors.Wrapf(httperrors.ErrNotSufficientPrivilege, "cannot create policy scope higher than %s", opsScope)