yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818732] [NEW] EC2 credential API doesn't use default roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 05 Mar 2019 21:37:52 -0000
Reply-to: Bug 1818732 <1818732@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In Rocky, keystone implemented support to ensure at least three default
roles were available [0]. The EC2 credentials API doesn't incorporate
these defaults into its default policies [1], but it should.

For example, system administrators should be able to clean up
credentials regardless of users, but system members or readers should
only be able to list or get credentials. Users who are not system users
should only be able to manage their credentials.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/ec2_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: default-roles policy

** Tags added: default-roles policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818732

Title:
  EC2 credential API doesn't use default roles

Status in OpenStack Identity (keystone):
  New

Bug description:
  In Rocky, keystone implemented support to ensure at least three
  default roles were available [0]. The EC2 credentials API doesn't
  incorporate these defaults into its default policies [1], but it
  should.

  For example, system administrators should be able to clean up
  credentials regardless of users, but system members or readers should
  only be able to list or get credentials. Users who are not system
  users should only be able to manage their credentials.

  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/ec2_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818732/+subscriptions

Follow ups

[Bug 1818732] Re: EC2 credential API doesn't use default roles
From: Colleen Murphy, 2019-09-16