Public bug reported: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].
The following acceptance criteria describes how the v3 role assignment API should behave with tokens from multiple scopes. GET /v3/role_assignments - Someone with a system role assignment that passes the check string should be able to list role assignments for any combination of entities in the deployment (system-scoped) - Someone with a domain role assignment that passes the check string should only be able to list role assignment for users and group in the domain they administer, or projects within that domain (domain-scoped) - Someone with a project role assignment that passes the check string should only be able to list role assignments for users and groups that have assignments on the project they administer (project-scoped) [0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/role_assignment.py#L21-L28 ** Affects: keystone Importance: High Status: Triaged ** Tags: policy -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1750673 Title: The v3 role assignment API should account for different scopes Status in OpenStack Identity (keystone): Triaged Bug description: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0]. The following acceptance criteria describes how the v3 role assignment API should behave with tokens from multiple scopes. GET /v3/role_assignments - Someone with a system role assignment that passes the check string should be able to list role assignments for any combination of entities in the deployment (system-scoped) - Someone with a domain role assignment that passes the check string should only be able to list role assignment for users and group in the domain they administer, or projects within that domain (domain-scoped) - Someone with a project role assignment that passes the check string should only be able to list role assignments for users and groups that have assignments on the project they administer (project-scoped) [0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/role_assignment.py#L21-L28 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1750673/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
