← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #23792

[Bug 1381809] [NEW] Domain aware policy shoule restrict certain operations to cloud admin

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The domain aware policy that is provided as a part of keystone
(policy.v3cloudsample.json) attempts to define a few layers of
administrative roles:

  cloud admin - responsible for overall cloud management
  domain admin - responsible for management within a domain
  project admin/owner - responsible for management of a project

There are some APIs that should be restricted to the cloud admin, but
they are currently allowed to any user with the "admin" role that is
defined at any scope, such as the administrator of a project.  Some
examples are the region and federation APIs:

-----------------------------------------------------------------
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_or_cloud_admin",
"identity:update_region": "rule:admin_or_cloud_admin",
"identity:delete_region": "rule:admin_or_cloud_admin",


"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",

"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",

"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
-------------------------------------------------------------------

** Affects: keystone
     Importance: Undecided
     Assignee: Nathan Kinder (nkinder)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Nathan Kinder (nkinder)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1381809

Title:
  Domain aware policy shoule restrict certain operations to cloud admin

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The domain aware policy that is provided as a part of keystone
  (policy.v3cloudsample.json) attempts to define a few layers of
  administrative roles:

    cloud admin - responsible for overall cloud management
    domain admin - responsible for management within a domain
    project admin/owner - responsible for management of a project

  There are some APIs that should be restricted to the cloud admin, but
  they are currently allowed to any user with the "admin" role that is
  defined at any scope, such as the administrator of a project.  Some
  examples are the region and federation APIs:

  -----------------------------------------------------------------
  "identity:get_region": "",
  "identity:list_regions": "",
  "identity:create_region": "rule:admin_or_cloud_admin",
  "identity:update_region": "rule:admin_or_cloud_admin",
  "identity:delete_region": "rule:admin_or_cloud_admin",

  
  "identity:create_identity_provider": "rule:admin_required",
  "identity:list_identity_providers": "rule:admin_required",
  "identity:get_identity_providers": "rule:admin_required",
  "identity:update_identity_provider": "rule:admin_required",
  "identity:delete_identity_provider": "rule:admin_required",

  "identity:create_protocol": "rule:admin_required",
  "identity:update_protocol": "rule:admin_required",
  "identity:get_protocol": "rule:admin_required",
  "identity:list_protocols": "rule:admin_required",
  "identity:delete_protocol": "rule:admin_required",

  "identity:create_mapping": "rule:admin_required",
  "identity:get_mapping": "rule:admin_required",
  "identity:list_mappings": "rule:admin_required",
  "identity:delete_mapping": "rule:admin_required",
  "identity:update_mapping": "rule:admin_required",
  -------------------------------------------------------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1381809/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next