yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818846] Re: The trust API doesn't use default roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1818846@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 Sep 2019 10:16:26 -0000
Reply-to: Bug 1818846 <1818846@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/677004
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9be1caff97355099d25170fe390dd15d6f592d56
Submitter: Zuul
Branch:    master

commit 9be1caff97355099d25170fe390dd15d6f592d56
Author: Colleen Murphy <colleen.murphy@xxxxxxx>
Date:   Fri Aug 16 11:14:16 2019 -0700

    Implement system admin for trusts API
    
    This change enables a system admin to delete trusts. Previously, only
    the trustor or the is_admin admin could delete a trust. This changes
    makes the trusts API more useful to system administrators who need to
    clean up trusts and makes the API consistent with others.
    
    This does not enable system admins to create trusts. A trust can only be
    scoped to a project, so creating one is inherently a project-scoped
    action. If trusts later gain the ability to be scoped to the system or
    domains, we can add those scopes to the create_trust scope_types.
    
    Change-Id: Idf13b862f345388bb2372609787947eb43d7ba75
    Closes-bug: #1818846
    Closes-bug: #1818850
    Related-Bug: #968696


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818846

Title:
  The trust API doesn't use default roles

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In Rocky, keystone implemented support to ensure at least three
  default roles were available [0]. The trust API doesn't incorporate
  these defaults into its default policies [1], but it should.

  It would be useful for system members and readers to diagnose issues
  with trusts, instead of requiring system administrators to do
  everything.

  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/trust.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818846/+subscriptions

References

[Bug 1818846] [NEW] The trust API doesn't use default roles
From: Lance Bragstad, 2019-03-06