yahoo-eng-team team mailing list archive

[OpenStack Infra <1651989@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/411563
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef48072d94f780ebaacee8c3ddf02a68193fa74d
Submitter: Jenkins
Branch:    master

commit ef48072d94f780ebaacee8c3ddf02a68193fa74d
Author: Steve Martinelli <s.martinelli@xxxxxxxxx>
Date:   Thu Dec 15 17:48:16 2016 -0800

    Fix cloud_admin rule and ensure only project tokens can be cloud admin
    
    The current rule fails to load with oslo.policy, the correct
    value used to determine the admin project for the cloud_admin should
    simply be: `is_admin_project:True`, since that is what is stored
    in oslo.context.
    
    This problem was masking a more serious issue that domain admin tokens
    could be misinterpreted as cloud admin tokens.
    
    Change-Id: I3ea562c01e06e6c519fdaec3ab6e1dac204ced71
    Closes-Bug: 1547684
    Closes-Bug: 1651989


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1651989

Title:
  domain admin token will be treated as cloud admin

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The new capability of is_admin_project is currently only supported for
  projects. However, the existing code for token models will return
  is_admin_project as True if the attribute has not been set. Hence
  admin domain tokens might get interpreted as cloud admin tokens. This
  is currently masked by a bug in our policy samples that do not
  correctly check for is_admin_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1651989/+subscriptions