yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1373599] [NEW] Trust operations in policy.json are misleading

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 24 Sep 2014 20:11:37 -0000
Reply-to: Bug 1373599 <1373599@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

The sample policy.json files included in Keystone have the trust API
operations listed.  For example:

    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",

This implies that these trust operations are protected by policy, which
is true but misleading.  While policy does protect these operations,
they are hardcoded to be very restrictive.  Here are some examples from
the controller code:

----------------------------------------------------------------------
    @controller.protected()
    def delete_trust(self, context, trust_id):
        trust = self.trust_api.get_trust(trust_id)
        if not trust:
            raise exception.TrustNotFound(trust_id=trust_id)

        user_id = self._get_user_id(context)
        _admin_trustor_only(context, trust, user_id)
        self.trust_api.delete_trust(trust_id)

    @controller.protected()
    def list_roles_for_trust(self, context, trust_id):
        trust = self.get_trust(context, trust_id)['trust']
        if not trust:
            raise exception.TrustNotFound(trust_id=trust_id)
        user_id = self._get_user_id(context)
        _trustor_trustee_only(trust, user_id)
        return {'roles': trust['roles'],
                'links': trust['roles_links']}
----------------------------------------------------------------------

In the trust controller code, the following restrictions are currently
hard-coded:

  create_trust - trustor only
  get_trust - trustor or trustee only
  l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts
  list_roles_for_trust - trustor or trustee only
  check_role_for_trust - trustor or trustee only
  get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust)
  delete_trust - admin or trustor only

The policies in policy.json can make these operations more restricted,
but not less restricted than the hard-coded restrictions.  We can't
simply remove these settings from policy.json, as that would cause the
"default" rule to be used which makes trusts unusable in the case of the
default "default" rule of "admin_required".  This only leaves us with
the option of clearly documenting the behavior IMHO.  Unfortunately,
JSON doesn't allow comments, so we can't just add nice comments right
there in policy.json.  I think that the correct approach is:

- Add a general purpose paragraph to the RBAC section of
doc/source/configuration.rst that states that some operations have hard-
coded restrictions that policy is unable to circumvent.  Mention that
policy can still make these operations more restrictive.

- Add documentation for the trust extension at
keystone/doc/source/extensions/trust.rst that mentions the hard-coded
restrictions for each trust operation.  Documentation for the trust
extension in this area is completely missing at this time.

** Affects: keystone
     Importance: Undecided
         Status: Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1373599

Title:
  Trust operations in policy.json are misleading

Status in OpenStack Identity (Keystone):
  Confirmed

Bug description:
  The sample policy.json files included in Keystone have the trust API
  operations listed.  For example:

      "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
      "identity:get_trust": "rule:admin_or_owner",
      "identity:list_trusts": "",
      "identity:list_roles_for_trust": "",
      "identity:check_role_for_trust": "",
      "identity:get_role_for_trust": "",
      "identity:delete_trust": "",

  This implies that these trust operations are protected by policy,
  which is true but misleading.  While policy does protect these
  operations, they are hardcoded to be very restrictive.  Here are some
  examples from the controller code:

  ----------------------------------------------------------------------
      @controller.protected()
      def delete_trust(self, context, trust_id):
          trust = self.trust_api.get_trust(trust_id)
          if not trust:
              raise exception.TrustNotFound(trust_id=trust_id)

          user_id = self._get_user_id(context)
          _admin_trustor_only(context, trust, user_id)
          self.trust_api.delete_trust(trust_id)

      @controller.protected()
      def list_roles_for_trust(self, context, trust_id):
          trust = self.get_trust(context, trust_id)['trust']
          if not trust:
              raise exception.TrustNotFound(trust_id=trust_id)
          user_id = self._get_user_id(context)
          _trustor_trustee_only(trust, user_id)
          return {'roles': trust['roles'],
                  'links': trust['roles_links']}
  ----------------------------------------------------------------------

  In the trust controller code, the following restrictions are currently
  hard-coded:

    create_trust - trustor only
    get_trust - trustor or trustee only
    l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts
    list_roles_for_trust - trustor or trustee only
    check_role_for_trust - trustor or trustee only
    get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust)
    delete_trust - admin or trustor only

  The policies in policy.json can make these operations more restricted,
  but not less restricted than the hard-coded restrictions.  We can't
  simply remove these settings from policy.json, as that would cause the
  "default" rule to be used which makes trusts unusable in the case of
  the default "default" rule of "admin_required".  This only leaves us
  with the option of clearly documenting the behavior IMHO.
  Unfortunately, JSON doesn't allow comments, so we can't just add nice
  comments right there in policy.json.  I think that the correct
  approach is:

  - Add a general purpose paragraph to the RBAC section of
  doc/source/configuration.rst that states that some operations have
  hard-coded restrictions that policy is unable to circumvent.  Mention
  that policy can still make these operations more restrictive.

  - Add documentation for the trust extension at
  keystone/doc/source/extensions/trust.rst that mentions the hard-coded
  restrictions for each trust operation.  Documentation for the trust
  extension in this area is completely missing at this time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1373599/+subscriptions
Follow ups

[Bug 1373599] Re: Trust operations in policy.json are misleading
From: Morgan Fainberg, 2016-02-02
[Bug 1373599] [NEW] Trust operations in policy.json are misleading
From: Nathan Kinder, 2014-09-24
References

[Bug 1373599] [NEW] Trust operations in policy.json are misleading
From: Nathan Kinder, 2014-09-24