yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1717847] [NEW] Policy does not work for trusts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adrian Turjak <adriant@xxxxxxxxxxxxxxx>
Date: Mon, 18 Sep 2017 05:35:53 -0000
Reply-to: Bug 1717847 <1717847@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

see: http://lists.openstack.org/pipermail/openstack-
dev/2017-September/122115.html

In short, the trusts APIs handle their policy in code rather than from
the policy file.

This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing:
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142

We should set better default policies, and change the code to respect
the policy files rather than handle the policy checking based on
hardcoded values.


This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1717847

Title:
  Policy does not work for trusts

Status in OpenStack Identity (keystone):
  New

Bug description:
  see: http://lists.openstack.org/pipermail/openstack-
  dev/2017-September/122115.html

  In short, the trusts APIs handle their policy in code rather than from
  the policy file.

  This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing:
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142

  We should set better default policies, and change the code to respect
  the policy files rather than handle the policy checking based on
  hardcoded values.

  
  This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1717847/+subscriptions

Follow ups

[Bug 1717847] Re: Policy does not work for trusts
From: Morgan Fainberg, 2018-10-24