← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #16169

[Bug 1329385] [NEW] Keystone doesn't respect policy rules for "grants"

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Keystone's policy.json define rules to govern granting of roles into
Keystone:

    "identity:check_grant": "rule:admin_required",
    "identity:list_grants": "rule:admin_required",
    "identity:create_grant": "rule:admin_required",
    "identity:revoke_grant": "rule:admin_required",

While our default policy.json, today, enforces only "admin_required",
when changing the policy to enforce another rule, I found a hard-coded
check on all grant functions on Keystone's assignment module as follows:

/keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235, 246, 265, 286, 313 and 336:
     self.assert_admin(context)

This function (keystone/keystone/common/wsgi.py line 256) tries to
identify if "is_admin" is in the context and, if not, enforces the rule
"admin_required" anyway. In sum, the code is ignoring the policy rule.

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  Keystone's policy.json define rules to govern granting of roles into
  Keystone:
  
-     "identity:check_grant": "rule:admin_required",
-     "identity:list_grants": "rule:admin_required",
-     "identity:create_grant": "rule:admin_required",
-     "identity:revoke_grant": "rule:admin_required",
+     "identity:check_grant": "rule:admin_required",
+     "identity:list_grants": "rule:admin_required",
+     "identity:create_grant": "rule:admin_required",
+     "identity:revoke_grant": "rule:admin_required",
  
  While our default policy.json, today, enforces only "admin_required",
  when changing the policy to enforce another rule, I found a hard-coded
  check on all grant functions on Keystone's assignment module as follows:
  
  /keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235, 246, 265, 286, 313 and 336:
-      self.assert_admin(context)
+      self.assert_admin(context)
  
- This function (line 256) tries to identify if "is_admin" is in the
- context and, if not, enforces the rule "admin_required" anyway. In sum,
- the code is ignoring the policy rule.
+ This function (keystone/keystone/common/wsgi.py line 256) tries to
+ identify if "is_admin" is in the context and, if not, enforces the rule
+ "admin_required" anyway. In sum, the code is ignoring the policy rule.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329385

Title:
  Keystone doesn't respect policy rules for "grants"

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Keystone's policy.json define rules to govern granting of roles into
  Keystone:

      "identity:check_grant": "rule:admin_required",
      "identity:list_grants": "rule:admin_required",
      "identity:create_grant": "rule:admin_required",
      "identity:revoke_grant": "rule:admin_required",

  While our default policy.json, today, enforces only "admin_required",
  when changing the policy to enforce another rule, I found a hard-coded
  check on all grant functions on Keystone's assignment module as
  follows:

  /keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235, 246, 265, 286, 313 and 336:
       self.assert_admin(context)

  This function (keystone/keystone/common/wsgi.py line 256) tries to
  identify if "is_admin" is in the context and, if not, enforces the
  rule "admin_required" anyway. In sum, the code is ignoring the policy
  rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329385/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next