I'm going to mark this as opinion. It likely will get better with scope-
types and policy-in-code, but this bug in itself isn't relevant due to
how trusts were architected.
** Changed in: keystone
Status: Confirmed => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1717847
Title:
Policy does not work for trusts
Status in OpenStack Identity (keystone):
Opinion
Bug description:
see: http://lists.openstack.org/pipermail/openstack-
dev/2017-September/122115.html
In short, the trusts APIs handle their policy in code rather than from
the policy file.
This is rather confusing seeing as we have policies for trusts in the policy
json file which do nothing:
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142
We should set better default policies, and change the code to respect
the policy files rather than handle the policy checking based on
hardcoded values.
This change needs to be handled carefully (and made very obvious in release
notes), because anyone using an older policy file once the change to respect
the policy file is part of a release, will mean any authed user can list trusts
because of the existing (and incorrect) default policy rules.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1717847/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
