← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1267096] [NEW] v3/credentials API is admin-only

 

Public bug reported:

The default policy makes v3/credentials admin-only:

https://github.com/openstack/keystone/blob/master/etc/policy.json#L53

But in the docs, we say "generic credential storage per user" which
implies it's a user accessible interface.

Also, for the ec2 credential storage to work as a replacement for the
ec2tokens API, it needs to be user-accessible.

Seems like a more appropriate restriction would be to enforce that the
user_id in the request matches the token, or the user is admin, e.g use
"admin_or_owner" instead of "admin_required"

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1267096

Title:
  v3/credentials API is admin-only

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The default policy makes v3/credentials admin-only:

  https://github.com/openstack/keystone/blob/master/etc/policy.json#L53

  But in the docs, we say "generic credential storage per user" which
  implies it's a user accessible interface.

  Also, for the ec2 credential storage to work as a replacement for the
  ec2tokens API, it needs to be user-accessible.

  Seems like a more appropriate restriction would be to enforce that the
  user_id in the request matches the token, or the user is admin, e.g
  use "admin_or_owner" instead of "admin_required"

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1267096/+subscriptions


Follow ups

References