Reviewed: https://review.opendev.org/670926 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=52da4d0e129048d1b808bdde07364cde698cf475 Submitter: Zuul Branch: master
commit 52da4d0e129048d1b808bdde07364cde698cf475 Author: Guang Yee <guang....@suse.com> Date: Mon Jul 15 16:57:21 2019 -0700 implement system scope for application credential Implement system scopes, namely 'admin', 'reader', and 'member' for the application credential API. Thus, making it consistent with other system-scoped policy definitions. For the application credential API, the follow policies will be enforced: - system admin can fetch, list, lookup, and delete user's application credentials. - system member and reader can only fetch, list, and lookup user's application credentials. Deleting a user's application credential other their own is strictly prohibitted. - domain and project admins can no longer touch user's application credentials other their own. - domain and project readers cannot touch user's application credentials other their own. - domain and project members cannot touch user's application credentials other their own. - create an application credential can only be done by the owner. No one else can create an application credential on behalf of another user. Test cases are added to guard the above policy changes. Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe Closes-Bug: 1818725 Closes-Bug: 1750615 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1818725 Title: Application credential API doesn't use default roles Status in OpenStack Identity (keystone): Fix Released Bug description: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should. For example, system administrators should be able to clean up application credentials regardless of users, but system members or readers should only be able to list or get application credentials. Users who are not system users should only be able to manage their application credentials. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1818725/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp