yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1788415] Re: The credential API should account for different scopes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1788415@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Oct 2018 08:58:35 -0000
Reply-to: Bug 1788415 <1788415@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/594547
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=239bed09a922d6076711ca5c112be6299fa0f0bb
Submitter: Zuul
Branch:    master

commit 239bed09a922d6076711ca5c112be6299fa0f0bb
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Tue Aug 21 20:41:38 2018 +0000

    Implement scope_type checking for credentials
    
    This change adds tests cases for the default roles keystone
    supports at install time. It also modifies the policies for the
    credentials API to be more self-service by properly checking
    for various scopes.
    
    Closes-Bug: 1788415
    Partial-Bug: 968696
    
    Change-Id: Ifedb7798c96930b6cc0f91159a14a21ac4b02f9f


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1788415

Title:
  The credential API should account for different scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  user API. This is documented in each patch with FIXMEs [0].

  The following acceptance criteria describes how the v3 credential API
  should behave with tokens from multiple scopes:

  GET /v3/credentials/{credential_id}

  - Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
  - Someone with a valid token should only be able to view credentials they've created

  GET /v3/credentials/

  - Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
  - Someone with a valid token should only be able to list credentials associated to their user

  POST /v3/credentials

  - Someone with a system role assignment that passes the check string should be able to create credentials for other users (system-scoped)
  - Someone with a valid token should only be able to create credentials for themselves

  DELETE /v3/credentials/{credential_id}

  - Someone with a system role assignment that passes the check string should be able to delete any credential in the deployment (system-scoped)
  - Someone with a valid token should only be able to delete credentials associated to their user account

  [0]
  https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n21

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1788415/+subscriptions

References

[Bug 1788415] [NEW] The credential API should account for different scopes
From: Lance Bragstad, 2018-08-22