Reviewed: https://review.opendev.org/697731 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17947516b0095c51da5cff94771247f2e7c44ee6 Submitter: Zuul Branch: stable/stein
commit 17947516b0095c51da5cff94771247f2e7c44ee6 Author: Colleen Murphy <colleen.mur...@suse.de> Date: Wed Dec 4 10:51:05 2019 -0800 Fix credential list for project members Without this patch, project members and readers can list any credentials with the /v3/credentials API when enforce_scope is false. enforce_scope is only applicable to project admins due to the admin-ness problem[1], and this policy is not meant to allow project admins any access to users' credentials (only system admins should be able to access them). However, when enforce_scope is false, we need to preserve the old behavior of project admins being able to list all credentials. This change mitigates the problem by running the identity:get_credential policy check to filter out credentials the user does not have access to. This will impact performance. Closes-bug: #1855080 [1] https://bugs.launchpad.net/keystone/+bug/968696 Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef (cherry picked from commit 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f) (cherry picked from commit bd3f63787151183f4daa43578aa491856fefae5b) ** Tags added: in-stable-stein -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all users credentials To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs