yahoo-eng-team team mailing list archive

[Dolph Mathews <1329385@xxxxxxxxxxxxxxxxxx>]

The policy rules you're looking at apply to the v3 API, but the calls to
assert_admin() you've cited are part of the v2 API. The v3 API supports
fairly granular policy enforcement, but the v2 API is generally binary
(you're either "admin" or not, and all that policy does is define what
"admin" means).

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329385

Title:
  Keystone doesn't respect policy rules for "grants"

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Keystone's policy.json define rules to govern granting of roles into
  Keystone:

      "identity:check_grant": "rule:admin_required",
      "identity:list_grants": "rule:admin_required",
      "identity:create_grant": "rule:admin_required",
      "identity:revoke_grant": "rule:admin_required",

  While our default policy.json, today, enforces only "admin_required",
  when changing the policy to enforce another rule, I found a hard-coded
  check on all grant functions on Keystone's assignment module as
  follows:

  /keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235, 246, 265, 286, 313 and 336:
       self.assert_admin(context)

  This function (keystone/keystone/common/wsgi.py line 256) tries to
  identify if "is_admin" is in the context and, if not, enforces the
  rule "admin_required" anyway. In sum, the code is ignoring the policy
  rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329385/+subscriptions