yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45762
[Bug 1373599] Re: Trust operations in policy.json are misleading
Marking as invalid since this should have expired as incomplete long
ago.
** Changed in: keystone
Status: Incomplete => Invalid
** Changed in: keystone
Assignee: Nathan Kinder (nkinder) => (unassigned)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1373599
Title:
Trust operations in policy.json are misleading
Status in OpenStack Identity (keystone):
Invalid
Bug description:
The sample policy.json files included in Keystone have the trust API
operations listed. For example:
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
This implies that these trust operations are protected by policy,
which is true but misleading. While policy does protect these
operations, they are hardcoded to be very restrictive. Here are some
examples from the controller code:
----------------------------------------------------------------------
@controller.protected()
def delete_trust(self, context, trust_id):
trust = self.trust_api.get_trust(trust_id)
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
self.trust_api.delete_trust(trust_id)
@controller.protected()
def list_roles_for_trust(self, context, trust_id):
trust = self.get_trust(context, trust_id)['trust']
if not trust:
raise exception.TrustNotFound(trust_id=trust_id)
user_id = self._get_user_id(context)
_trustor_trustee_only(trust, user_id)
return {'roles': trust['roles'],
'links': trust['roles_links']}
----------------------------------------------------------------------
In the trust controller code, the following restrictions are currently
hard-coded:
create_trust - trustor only
get_trust - trustor or trustee only
l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts
list_roles_for_trust - trustor or trustee only
check_role_for_trust - trustor or trustee only
get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust)
delete_trust - admin or trustor only
The policies in policy.json can make these operations more restricted,
but not less restricted than the hard-coded restrictions. We can't
simply remove these settings from policy.json, as that would cause the
"default" rule to be used which makes trusts unusable in the case of
the default "default" rule of "admin_required". This only leaves us
with the option of clearly documenting the behavior IMHO.
Unfortunately, JSON doesn't allow comments, so we can't just add nice
comments right there in policy.json. I think that the correct
approach is:
- Add a general purpose paragraph to the RBAC section of
doc/source/configuration.rst that states that some operations have
hard-coded restrictions that policy is unable to circumvent. Mention
that policy can still make these operations more restrictive.
- Add documentation for the trust extension at
keystone/doc/source/extensions/trust.rst that mentions the hard-coded
restrictions for each trust operation. Documentation for the trust
extension in this area is completely missing at this time.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1373599/+subscriptions
References
