yahoo-eng-team team mailing list archive

[OpenStack Infra <1805363@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/680794
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Submitter: Zuul
Branch:    master

commit 4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Author: Colleen Murphy <colleen.murphy@xxxxxxx>
Date:   Fri Sep 6 19:25:44 2019 -0700

    Implement system admin for OAUTH1 consumers
    
    This change deprecates the rule:admin_required policies for the
    create/update/delete actions of the OAUTH consumer API and replaces it
    with the system-specific check strings for the admin role.
    
    Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5
    Closes-bug: #1805363


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805363

Title:
  Oauth1 Consumer API doesn't use default roles

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In Rocky, keystone implemented support to ensure at least three
  default roles were available [0]. The consumer API doesn't incorporate
  these defaults into its default policies [1], but it should.

  The oauth consumer API is system-specific, and shouldn't be accessible
  to domain or project users. For example, system administrators should
  be able to create, delete, and update consumers, while members and
  readers should only be able to get and list consumers.

  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
  [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1805363/+subscriptions