yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818725] [NEW] Application credential API doesn't use default roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 05 Mar 2019 21:09:49 -0000
Reply-to: Bug 1818725 <1818725@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In Rocky, keystone implemented support to ensure at least three default
roles were available [0]. The application credentials API doesn't
incorporate these defaults into its default policies [1], but it should.

For example, system administrators should be able to clean up
application credentials regardless of users, but system members or
readers should only be able to list or get application credentials.
Users who are not system users should only be able to manage their
application credentials.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

** Affects: keystone
     Importance: Medium
         Status: Triaged


** Tags: default-roles policy

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Description changed:

  In Rocky, keystone implemented support to ensure at least three default
  roles were available [0]. The application credentials API doesn't
  incorporate these defaults into its default policies [1], but it should.
  
- For example, system users should be able to manage any application
- credential, regardless of the user. Users who are not system users
- should only be able to manage their application credentials.
+ For example, system administrators should be able to clean up
+ application credentials regardless of users, but system members or
+ readers should only be able to list or get application credentials.
+ Users who are not system users should only be able to manage their
+ application credentials.
  
  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

** Tags added: default-roles policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818725

Title:
  Application credential API doesn't use default roles

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  In Rocky, keystone implemented support to ensure at least three
  default roles were available [0]. The application credentials API
  doesn't incorporate these defaults into its default policies [1], but
  it should.

  For example, system administrators should be able to clean up
  application credentials regardless of users, but system members or
  readers should only be able to list or get application credentials.
  Users who are not system users should only be able to manage their
  application credentials.

  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818725/+subscriptions

Follow ups

[Bug 1818725] Re: Application credential API doesn't use default roles
From: OpenStack Infra, 2019-07-25