Reviewed: https://review.opendev.org/680844 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9b694fcd0846898be843d8779960de399497818d Submitter: Zuul Branch: master
commit 9b694fcd0846898be843d8779960de399497818d Author: Colleen Murphy <[email protected]> Date: Sat Sep 7 19:25:46 2019 -0700 Implement system scope for domain role management The roles API was partially converted to use default roles and system scope but that work did not include converting the domain roles actions. This commit completes the rest of the work and closes out the system scope work for the roles API. Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47 Closes-bug: #1805400 Partial-bug: #1805880 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1805400 Title: The v3 role API should account for different scopes Status in OpenStack Identity (keystone): Fix Released Bug description: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0]. The following acceptance criteria describe how the v3 role API should behave with tokens from multiple scopes. GET /roles/{role_id} - Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped) - Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped) GET /roles - Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped) - Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped) POST /roles - Someone with a system role assignment that passes the check string should be able to create roles (system-scoped) - Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped) DELETE /roles/{role_id} - Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped) - Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped) [0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1805400/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
