yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1284922] Re: policy admin role too broad

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1284922@xxxxxxxxxxxxxxxxxx>
Date: Wed, 05 Mar 2014 21:51:29 -0000
Reply-to: Bug 1284922 <1284922@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
   Importance: Undecided => Wishlist

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1284922

Title:
  policy admin role too broad

Status in OpenStack Identity (Keystone):
  Opinion

Bug description:
  The policy.v3cloudsample.json file has a generic "admin_required": "role:admin" which is applied to several APIs allowing de facto other services with same generic "admin" role to perform Keystone calls.
  Both Neutron and Glance define a simple admin role that can be used to perform Keystone protected calls.
  Proposed changes:
  1) remove "admin_required" and replace it with "rule:cloud_admin"
  2) scope correctly the access to these api:

  "identity:create_consumer": "rule:cloud_admin or rule:domain_admin",
      "identity:get_consumer": "rule:cloud_admin or rule:domain_admin",
      "identity:list_consumers": "rule:cloud_admin or rule:domain_admin",
      "identity:delete_consumer": "rule:cloud_admin or rule:domain_admin",
      "identity:update_consumer": "rule:cloud_admin or rule:domain_admin",

  "identity:authorize_request_token": "rule:cloud_admin or rule:domain_admin",
      "identity:list_access_token_roles": "rule:cloud_admin or rule:domain_admin",
      "identity:get_access_token_role": "rule:cloud_admin or rule:domain_admin",
      "identity:list_access_tokens": "rule:cloud_admin or rule:domain_admin",
      "identity:get_access_token": "rule:cloud_admin or rule:domain_admin",
      "identity:delete_access_token": "rule:cloud_admin or rule:domain_admin",

  "identity:list_projects_for_endpoint": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
      "identity:add_endpoint_to_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
      "identity:check_endpoint_in_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
      "identity:list_endpoints_for_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
      "identity:remove_endpoint_from_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",

  "identity:create_identity_provider": "rule:cloud_admin or rule:domain_admin",
      "identity:list_identity_providers": "rule:cloud_admin or rule:domain_admin",
      "identity:get_identity_providers": "rule:cloud_admin or rule:domain_admin",
      "identity:update_identity_provider": "rule:cloud_admin or rule:domain_admin",
      "identity:delete_identity_provider": "rule:cloud_admin or rule:domain_admin",

  "identity:create_protocol": "rule:cloud_admin or rule:domain_admin",
      "identity:update_protocol": "rule:cloud_admin or rule:domain_admin",
      "identity:get_protocol": "rule:cloud_admin or rule:domain_admin",
      "identity:list_protocols": "rule:cloud_admin or rule:domain_admin",
      "identity:delete_protocol": "rule:cloud_admin or rule:domain_admin",

  "identity:create_mapping": "rule:cloud_admin",
      "identity:get_mapping": "rule:cloud_admin or rule:domain_admin",
      "identity:list_mappings": "rule:cloud_admin or rule:domain_admin",
      "identity:delete_mapping": "rule:cloud_admin",
      "identity:update_mapping": "rule:cloud_admin"

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1284922/+subscriptions

References

[Bug 1284922] [NEW] policy admin role too broad
From: Fabio Giannetti, 2014-02-26