Public bug reported: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should.
For example, system administrators should be able to clean up application credentials regardless of users, but system members or readers should only be able to list or get application credentials. Users who are not system users should only be able to manage their application credentials. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc ** Affects: keystone Importance: Medium Status: Triaged ** Tags: default-roles policy ** Changed in: keystone Status: New => Triaged ** Changed in: keystone Importance: Undecided => Medium ** Description changed: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should. - For example, system users should be able to manage any application - credential, regardless of the user. Users who are not system users - should only be able to manage their application credentials. + For example, system administrators should be able to clean up + application credentials regardless of users, but system members or + readers should only be able to list or get application credentials. + Users who are not system users should only be able to manage their + application credentials. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc ** Tags added: default-roles policy -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1818725 Title: Application credential API doesn't use default roles Status in OpenStack Identity (keystone): Triaged Bug description: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should. For example, system administrators should be able to clean up application credentials regardless of users, but system members or readers should only be able to list or get application credentials. Users who are not system users should only be able to manage their application credentials. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1818725/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
