← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #77683

[Bug 1750673] Re: The v3 role assignment API should account for different scopes

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/639718
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=954b97666937b8ef14fd1510636af4d8e456e918
Submitter: Zuul
Branch:    master

commit 954b97666937b8ef14fd1510636af4d8e456e918
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Wed Feb 27 15:47:58 2019 +0000

    Add role assignment testing for project users
    
    This commit adds some scaffolding for testing how user with project
    role assignments should behave with the role assignment API.
    
    Co-Authored-By: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
    Closes-Bug: 1750673
    Change-Id: Iec99b5d6b3aa3015d4410ce94fedc646bc4d6f74


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1750673

Title:
  The v3 role assignment API should account for different scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  user API. This is documented in each patch with FIXMEs [0].

  The following acceptance criteria describes how the v3 role assignment
  API should behave with tokens from multiple scopes.

  GET /v3/role_assignments

  - Someone with a system role assignment that passes the check string should be able to list role assignments for any combination of entities in the deployment (system-scoped)
  - Someone with a domain role assignment that passes the check string should only be able to list role assignment for users and group in the domain they administer, or projects within that domain (domain-scoped)
  - Someone with a project role assignment that passes the check string should only be able to list role assignments for users and groups that have assignments on the project they administer (project-scoped)

  [0]
  https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/role_assignment.py#L21-L28

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1750673/+subscriptions

References

  Thread PreviousDate PreviousThread Next