Reviewed: https://review.opendev.org/681162 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6435017c242d759ec18dac30d667f0e196e49f38 Submitter: Zuul Branch: master
commit 6435017c242d759ec18dac30d667f0e196e49f38 Author: Vishakha Agarwal <[email protected]> Date: Tue Sep 10 11:57:13 2019 +0530 Remove system EC2 credentials from policy.v3cloudsample.json By relying on system-scope and default roles, these policies are now obsolete. Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9 Partial-Bug: #1806762 Closes-Bug: #1750678 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1750678 Title: The ec2 credential API should account for different scopes Status in OpenStack Identity (keystone): Fix Released Bug description: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0]. The following acceptance criteria describes how the v3 ec2 credential API should behave with tokens from multiple scopes: GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} - Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped) - Someone with a valid token should only be able to view credentials they've created GET /v3/users/{user_id}/credentials/OS-EC2/ - Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped) - Someone with a valid token should only be able to list credentials associated to their user POST /v3/users/{user_id}/credentials/OS-EC2/ - Someone with a system role assignment that passes the check string should be able to create ec2 credentials for other users (system-scoped) - Someone with a valid token should be able to create ec2 credentials for themselves DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} - Someone with a system role assignment that passes the check string should be able to delete any ec2 credential in the deployment (system-scoped) - Someone with a valid token should only be able to delete credentials associated to their user account [0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/ec2_credential.py#L21-L31 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1750678/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
