yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25648
[Bug 1381809] Re: Domain aware policy should restrict certain operations to cloud admin
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1381809
Title:
Domain aware policy should restrict certain operations to cloud admin
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
The domain aware policy that is provided as a part of keystone
(policy.v3cloudsample.json) attempts to define a few layers of
administrative roles:
cloud admin - responsible for overall cloud management
domain admin - responsible for management within a domain
project admin/owner - responsible for management of a project
There are some APIs that should be restricted to the cloud admin, but
they are currently allowed to any user with the "admin" role that is
defined at any scope, such as the administrator of a project. Some
examples are the region and federation APIs:
-----------------------------------------------------------------
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_or_cloud_admin",
"identity:update_region": "rule:admin_or_cloud_admin",
"identity:delete_region": "rule:admin_or_cloud_admin",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
-------------------------------------------------------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1381809/+subscriptions
References
