yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1794376] [NEW] Domains API should account for system-scope and default roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 25 Sep 2018 21:29:44 -0000
Reply-to: Bug 1794376 <1794376@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Keystone domains are an important resource that only system
administrators, members, or readers should be able to manage. We should
update the domain policies to include system-scoped test coverage and
consumption of the new default roles in keystone.

System administrators should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}
  - POST /v3/domains/
  - PATCH /v3/domains/{domain_id}
  - DELETE /v3/domains/{domain_id}

System members should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}
  - PATCH /v3/domains/{domain_id}

System readers should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}

** Affects: keystone
     Importance: High
         Status: Triaged


** Tags: policy

** Tags added: policy

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1794376

Title:
  Domains API should account for system-scope and default roles

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone domains are an important resource that only system
  administrators, members, or readers should be able to manage. We
  should update the domain policies to include system-scoped test
  coverage and consumption of the new default roles in keystone.

  System administrators should be able to:
    - GET /v3/domains/
    - GET /v3/damains/{domain_id}
    - POST /v3/domains/
    - PATCH /v3/domains/{domain_id}
    - DELETE /v3/domains/{domain_id}

  System members should be able to:
    - GET /v3/domains/
    - GET /v3/damains/{domain_id}
    - PATCH /v3/domains/{domain_id}

  System readers should be able to:
    - GET /v3/domains/
    - GET /v3/damains/{domain_id}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1794376/+subscriptions

Follow ups

[Bug 1794376] Re: Domains API should account for system-scope and default roles
From: OpenStack Infra, 2018-12-12