yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1750678] Re: The ec2 credential API should account for different scopes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1750678@xxxxxxxxxxxxxxxxxx>
Date: Sun, 15 Sep 2019 22:15:33 -0000
Reply-to: Bug 1750678 <1750678@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/681162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6435017c242d759ec18dac30d667f0e196e49f38
Submitter: Zuul
Branch:    master

commit 6435017c242d759ec18dac30d667f0e196e49f38
Author: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
Date:   Tue Sep 10 11:57:13 2019 +0530

    Remove system EC2 credentials from policy.v3cloudsample.json
    
    By relying on system-scope and default roles, these policies are now
    obsolete.
    
    Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
    Partial-Bug: #1806762
    Closes-Bug: #1750678


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1750678

Title:
  The ec2 credential API should account for different scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release. In order to take full advantage of scope_types,
  keystone is going to have to evolve policy enforcement checks in the
  user API. This is documented in each patch with FIXMEs [0].

  The following acceptance criteria describes how the v3 ec2 credential
  API should behave with tokens from multiple scopes:

  GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

  - Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
  - Someone with a valid token should only be able to view credentials they've created

  GET /v3/users/{user_id}/credentials/OS-EC2/

  - Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
  - Someone with a valid token should only be able to list credentials associated to their user

  POST /v3/users/{user_id}/credentials/OS-EC2/

  - Someone with a system role assignment that passes the check string should be able to create ec2 credentials for other users (system-scoped)
  - Someone with a valid token should be able to create ec2 credentials for themselves

  DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

  - Someone with a system role assignment that passes the check string should be able to delete any ec2 credential in the deployment (system-scoped)
  - Someone with a valid token should only be able to delete credentials associated to their user account

  [0]
  https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/ec2_credential.py#L21-L31

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1750678/+subscriptions

References

[Bug 1750678] [NEW] The ec2 credential API should account for different scopes
From: Lance Bragstad, 2018-02-20