yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1717847] Re: Policy does not work for trusts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 24 Oct 2018 17:46:56 -0000
Reply-to: Bug 1717847 <1717847@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm going to mark this as opinion. It likely will get better with scope-
types and policy-in-code, but this bug in itself isn't relevant due to
how trusts were architected.

** Changed in: keystone
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1717847

Title:
  Policy does not work for trusts

Status in OpenStack Identity (keystone):
  Opinion

Bug description:
  see: http://lists.openstack.org/pipermail/openstack-
  dev/2017-September/122115.html

  In short, the trusts APIs handle their policy in code rather than from
  the policy file.

  This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing:
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142

  We should set better default policies, and change the code to respect
  the policy files rather than handle the policy checking based on
  hardcoded values.

  
  This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1717847/+subscriptions

References

[Bug 1717847] [NEW] Policy does not work for trusts
From: Adrian Turjak, 2017-09-18