yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #10256
[Bug 1284922] [NEW] policy admin role too broad
Public bug reported:
The policy.v3cloudsample.json file has a generic "admin_required": "role:admin" which is applied to several APIs allowing de facto other services with same generic "admin" role to perform Keystone calls.
Both Neutron and Glance define a simple admin role that can be used to perform Keystone protected calls.
Proposed changes:
1) remove "admin_required" and replace it with "rule:cloud_admin"
2) scope correctly the access to these api:
"identity:create_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:get_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:list_consumers": "rule:cloud_admin or rule:domain_admin",
"identity:delete_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:update_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:authorize_request_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_token_roles": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token_role": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_tokens": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:delete_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_projects_for_endpoint": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:add_endpoint_to_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:check_endpoint_in_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:list_endpoints_for_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:remove_endpoint_from_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:create_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:list_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:get_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:update_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:delete_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:create_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:update_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:get_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:list_protocols": "rule:cloud_admin or rule:domain_admin",
"identity:delete_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin or rule:domain_admin",
"identity:list_mappings": "rule:cloud_admin or rule:domain_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin"
** Affects: keystone
Importance: Undecided
Assignee: Fabio Giannetti (fabio-giannetti)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Fabio Giannetti (fabio-giannetti)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1284922
Title:
policy admin role too broad
Status in OpenStack Identity (Keystone):
New
Bug description:
The policy.v3cloudsample.json file has a generic "admin_required": "role:admin" which is applied to several APIs allowing de facto other services with same generic "admin" role to perform Keystone calls.
Both Neutron and Glance define a simple admin role that can be used to perform Keystone protected calls.
Proposed changes:
1) remove "admin_required" and replace it with "rule:cloud_admin"
2) scope correctly the access to these api:
"identity:create_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:get_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:list_consumers": "rule:cloud_admin or rule:domain_admin",
"identity:delete_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:update_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:authorize_request_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_token_roles": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token_role": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_tokens": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:delete_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_projects_for_endpoint": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:add_endpoint_to_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:check_endpoint_in_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:list_endpoints_for_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:remove_endpoint_from_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:create_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:list_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:get_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:update_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:delete_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:create_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:update_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:get_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:list_protocols": "rule:cloud_admin or rule:domain_admin",
"identity:delete_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin or rule:domain_admin",
"identity:list_mappings": "rule:cloud_admin or rule:domain_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin"
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1284922/+subscriptions
Follow ups
References
