← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79982

[Bug 1805400] Re: The v3 role API should account for different scopes

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/680844
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9b694fcd0846898be843d8779960de399497818d
Submitter: Zuul
Branch:    master

commit 9b694fcd0846898be843d8779960de399497818d
Author: Colleen Murphy <colleen.murphy@xxxxxxx>
Date:   Sat Sep 7 19:25:46 2019 -0700

    Implement system scope for domain role management
    
    The roles API was partially converted to use default roles and system
    scope but that work did not include converting the domain roles actions.
    This commit completes the rest of the work and closes out the system
    scope work for the roles API.
    
    Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47
    Closes-bug: #1805400
    Partial-bug: #1805880


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805400

Title:
  The v3 role API should account for different scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  user API. This is documented in each patch with FIXMEs [0].

  The following acceptance criteria describe how the v3 role API should
  behave with tokens from multiple scopes.

  GET /roles/{role_id}

  - Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

  GET /roles

  - Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

  POST /roles

  - Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

  DELETE /roles/{role_id}

  - Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
  - Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)

  
  [0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1805400/+subscriptions

References

  Thread PreviousDate PreviousThread Next