Reviewed: https://review.opendev.org/680794 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f0c7394ede6ad479ff911bc373370f8b5e2f6f1 Submitter: Zuul Branch: master
commit 4f0c7394ede6ad479ff911bc373370f8b5e2f6f1 Author: Colleen Murphy <colleen.mur...@suse.de> Date: Fri Sep 6 19:25:44 2019 -0700 Implement system admin for OAUTH1 consumers This change deprecates the rule:admin_required policies for the create/update/delete actions of the OAUTH consumer API and replaces it with the system-specific check strings for the admin role. Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5 Closes-bug: #1805363 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1805363 Title: Oauth1 Consumer API doesn't use default roles Status in OpenStack Identity (keystone): Fix Released Bug description: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should. The oauth consumer API is system-specific, and shouldn't be accessible to domain or project users. For example, system administrators should be able to create, delete, and update consumers, while members and readers should only be able to get and list consumers. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1805363/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp