← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1808859] [NEW] The v3 group API should account for different scopes

 

Public bug reported:

Keystone implemented scope_types for oslo.policy RuleDefault objects in
the Queens release [0]. In order to take full advantage of scope_types,
keystone is going to have to evolve policy enforcement checks in the
group API. This is documented in each patch with FIXMEs [1].

System users should be able to manage groups across all domains in the deployment.
Domain users should be able to manage groups within the domain they have authorization on.
Project users shouldn't be able to manage groups at all, since group entities are domain-specific.

[0] https://review.openstack.org/#/c/525706/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

** Affects: keystone
     Importance: High
         Status: Triaged


** Tags: policy system-scope

** Tags added: policy

** Tags added: system-scope

** Description changed:

  Keystone implemented scope_types for oslo.policy RuleDefault objects in
  the Queens release [0]. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  group API. This is documented in each patch with FIXMEs [1].
  
  System users should be able to manage groups across all domains in the deployment.
  Domain users should be able to manage groups within the domain they have authorization on.
  Project users shouldn't be able to manage groups at all, since group entities are domain-specific.
  
  [0] https://review.openstack.org/#/c/525706/
- [1] https://review.openstack.org/#/c/525706/3/keystone/common/policies/group.py
+ [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1808859

Title:
  The v3 group API should account for different scopes

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release [0]. In order to take full advantage of
  scope_types, keystone is going to have to evolve policy enforcement
  checks in the group API. This is documented in each patch with FIXMEs
  [1].

  System users should be able to manage groups across all domains in the deployment.
  Domain users should be able to manage groups within the domain they have authorization on.
  Project users shouldn't be able to manage groups at all, since group entities are domain-specific.

  [0] https://review.openstack.org/#/c/525706/
  [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1808859/+subscriptions


Follow ups