← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1805400] [NEW] The v3 role API should account for different scopes

 

Public bug reported:

Keystone implemented scope_types for oslo.policy RuleDefault objects in
the Queens release. In order to take full advantage of scope_types,
keystone is going to have to evolve policy enforcement checks in the
user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describe how the v3 role API should
behave with tokens from multiple scopes.

GET /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

GET /roles

- Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

POST /roles

- Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

DELETE /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)


[0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

** Affects: keystone
     Importance: High
         Status: Triaged


** Tags: policy system-scope

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

** Tags added: policy system-scope

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805400

Title:
  The v3 role API should account for different scopes

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  user API. This is documented in each patch with FIXMEs [0].

  The following acceptance criteria describe how the v3 role API should
  behave with tokens from multiple scopes.

  GET /roles/{role_id}

  - Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

  GET /roles

  - Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

  POST /roles

  - Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

  DELETE /roles/{role_id}

  - Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)

  
  [0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1805400/+subscriptions


Follow ups