yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79404
[Bug 1750615] Re: The v3 application credential API should account for different scopes
Reviewed: https://review.opendev.org/670926
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=52da4d0e129048d1b808bdde07364cde698cf475
Submitter: Zuul
Branch: master
commit 52da4d0e129048d1b808bdde07364cde698cf475
Author: Guang Yee <guang.yee@xxxxxxxx>
Date: Mon Jul 15 16:57:21 2019 -0700
implement system scope for application credential
Implement system scopes, namely 'admin', 'reader', and 'member' for
the application credential API. Thus, making it consistent with other
system-scoped policy definitions.
For the application credential API, the follow policies will be enforced:
- system admin can fetch, list, lookup, and delete user's application
credentials.
- system member and reader can only fetch, list, and lookup user's application
credentials. Deleting a user's application credential other their own is
strictly prohibitted.
- domain and project admins can no longer touch user's application credentials
other their own.
- domain and project readers cannot touch user's application credentials
other their own.
- domain and project members cannot touch user's application credentials
other their own.
- create an application credential can only be done by the owner. No one else
can create an application credential on behalf of another user.
Test cases are added to guard the above policy changes.
Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe
Closes-Bug: 1818725
Closes-Bug: 1750615
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1750615
Title:
The v3 application credential API should account for different scopes
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
Keystone implemented scope_types for oslo.policy RuleDefault objects
in the Queens release. In order to take full advantage of scope_types,
keystone is going to have to evolve policy enforcement checks in the
user API. This is documented in each patch with FIXMEs [1].
The following acceptance criteria describes how the v3 application
credentials API should behave with tokens from multiple scopes:
GET
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Someone with a system role assignment that passes the check string should be able to get any application credential in the system (system-scoped)
- Someone with a valid token should be able to call this API for an application credential associated to their user (project-scoped, user-scoped?)
GET /v3/users/{user_id}/application_credentials
- Someone with a system role assignment that passes the check string should be able to list all application credentials for any user in the system (system-scoped)
- Someone with a valid token should be able to call this API and list all application credentials they've created
POST /v3/users/{user_id}/application_credentials
- Someone with a project role assignment should be able to create
application credentials for the project they have a role assignment on
(project-scoped)
DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Someone with a system role assignment that passes the check string should be able to delete any application credential for any user in the system (system-scoped)
- Someone with a valid token should be able to delete any application credential they've created (project-scoped, user-scoped?)
[0]
https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/application_credential.py#L24-L32
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1750615/+subscriptions
References
