Reviewed: https://review.opendev.org/697355
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
Submitter: Zuul
Branch: master
commit 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
Author: Colleen Murphy <colleen.mur...@suse.de>
Date: Wed Dec 4 10:51:05 2019 -0800
Fix credential list for project members
Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.
Closes-bug: #1855080
[1] https://bugs.launchpad.net/keystone/+bug/968696
Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855080
Title:
Credentials API allows listing and retrieving of all users credentials
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
