yahoo-eng-team team mailing list archive

[OpenStack Infra <1808859@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/643937
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=be452fee80fabe252b2dae3be76c1d46fdd857e4
Submitter: Zuul
Branch:    master

commit be452fee80fabe252b2dae3be76c1d46fdd857e4
Author: Colleen Murphy <colleen.murphy@xxxxxxx>
Date:   Mon Mar 18 14:20:15 2019 +0100

    Add domain scope support for group policies
    
    This commit adds support for the domain scope type for the group API
    policies. It defines appropriate policies for the reader, member, and
    admin role and adds tests for each case.
    
    Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
    Closes-bug: #1808859
    Partial-Bug: #968696


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1808859

Title:
  The v3 group API should account for different scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release [0]. In order to take full advantage of
  scope_types, keystone is going to have to evolve policy enforcement
  checks in the group API. This is documented in each patch with FIXMEs
  [1].

  System users should be able to manage groups across all domains in the deployment.
  Domain users should be able to manage groups within the domain they have authorization on.
  Project users shouldn't be able to manage groups at all, since group entities are domain-specific.

  [0] https://review.openstack.org/#/c/525706/
  [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1808859/+subscriptions