Reviewed: https://review.opendev.org/682762 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=05ea390c67da8056bd0cb4445f4f030d8181aaf6 Submitter: Zuul Branch: master
commit 05ea390c67da8056bd0cb4445f4f030d8181aaf6 Author: Colleen Murphy <colleen.mur...@suse.de> Date: Tue Sep 17 15:47:35 2019 -0700 Allow system/domain scope for assignment tree list The comment regarding the scope_types setting for identity:list_role_assignments_for_tree was incorrect: the project ID for this request comes from a query parameter, not the token context, and therefore it makes sense to allow system users and domain users to call this API to get information about a project they have access to. This change updates the default policy for this API and adds tests for it. For project scope, the admin role is still required, as project members and project readers are typically not allowed rights to view the project hierarchy. Change-Id: If246298092940884a7b90e47cc9ce2f30da3e9e5 Closes-bug: #1844461 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1844461 Title: Role assignment list for subtree is only project scoped Status in OpenStack Identity (keystone): Fix Released Bug description: The identity:list_role_assignment_for_subtree is limited to the 'project' scope type, but this means that system readers and domain readers can't list role assignments for the subtree of a project they would otherwise have access to. Since the project ID is specified as a query parameter and is not taken directly from the token context, it makes sense to allow system readers and domain readers to make this query. Project members and readers should still be forbidden from getting role assignment information on their own project or its subprojects, but project admins should remain allowed to get this information. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1844461/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp