yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1281771] Re: Keystone policy doesn't retrieve domain_id on project scoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1281771@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 00:29:08 -0000
Reply-to: Bug 1281771 <1281771@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

A project's domain ID doesn't represent authorization on that domain.
Use domain-scoped tokens instead (which explicitly represent domain
level authorization) and they'll be available to enforce policy against.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281771

Title:
  Keystone policy doesn't retrieve domain_id on project scoped token

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Giving the possibility to retrieve the project's domain_id from a
  project scoped token gives cloud service providers more flexibility
  when configuring their Keystone policy file.

  For instance, if a cloud service provider wants to allow a project member to see the description of his project's domain, they will be able to do.
  Furthermore, if a project admin (with a token scoped on his project) wants to add a new incoming user (already registered in the domain) on his project, a cloud service provider can allow him to this by listing all users of his domain and then looking for that specific user. In the policy, it should look like: "identity:list_users": "rule:cloud_admin or rule:domain_admin or (rule:admin_required and domain_id:%(project.domain_id)s)".

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281771/+subscriptions

References

[Bug 1281771] [NEW] Keystone policy doesn't retrieve domain_id on project scoped token
From: Samuel de Medeiros Queiroz, 2014-02-18