yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1267096] Re: v3/credentials API is admin-only

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:31:49 -0000
Reply-to: Bug 1267096 <1267096@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1267096

Title:
  v3/credentials API is admin-only

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The default policy makes v3/credentials admin-only:

  http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n59

  But in the docs, we say "generic credential storage per user" which
  implies it's a user accessible interface.

  Also, for the ec2 credential storage to work as a replacement for the
  ec2tokens API, it needs to be user-accessible.

  Seems like a more appropriate restriction would be to enforce that the
  user_id in the request matches the token, or the user is admin, e.g
  use "admin_or_owner" instead of "admin_required"

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1267096/+subscriptions

References

[Bug 1267096] [NEW] v3/credentials API is admin-only
From: Steven Hardy, 2014-01-08