yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1281771] [NEW] Keystone policy doesn't retrieve domain_id on project scoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Samuel de Medeiros Queiroz <samuel@xxxxxxxxxxxxxxx>
Date: Tue, 18 Feb 2014 20:34:52 -0000
Reply-to: Bug 1281771 <1281771@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Giving the possibility to retrieve the project's domain_id from a
project scoped token gives cloud service providers more flexibility when
configuring their Keystone policy file.

For instance, if a cloud service provider wants to allow a project member to see the description of his project's domain, they will be able to do.
Furthermore, if a project admin (with a token scoped on his project) wants to add a new incoming user (already registered in the domain) on his project, a cloud service provider can allow him to this by listing all users of his domain and then looking for that specific user. In the policy, it should look like: "identity:list_users": "rule:cloud_admin or rule:domain_admin or (rule:admin_required and domain_id:%(project.domain_id)s)".

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281771

Title:
  Keystone policy doesn't retrieve domain_id on project scoped token

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Giving the possibility to retrieve the project's domain_id from a
  project scoped token gives cloud service providers more flexibility
  when configuring their Keystone policy file.

  For instance, if a cloud service provider wants to allow a project member to see the description of his project's domain, they will be able to do.
  Furthermore, if a project admin (with a token scoped on his project) wants to add a new incoming user (already registered in the domain) on his project, a cloud service provider can allow him to this by listing all users of his domain and then looking for that specific user. In the policy, it should look like: "identity:list_users": "rule:cloud_admin or rule:domain_admin or (rule:admin_required and domain_id:%(project.domain_id)s)".

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281771/+subscriptions

Follow ups

[Bug 1281771] Re: Keystone policy doesn't retrieve domain_id on project scoped token
From: Dolph Mathews, 2014-02-19
[Bug 1281771] [NEW] Keystone policy doesn't retrieve domain_id on project scoped token
From: Samuel de Medeiros Queiroz, 2014-02-18

References

[Bug 1281771] [NEW] Keystone policy doesn't retrieve domain_id on project scoped token
From: Samuel de Medeiros Queiroz, 2014-02-18