yahoo-eng-team team mailing list archive

[Colleen Murphy <colleen@xxxxxxxxxxx>]

Public bug reported:

The identity:list_role_assignment_for_subtree is limited to the
'project' scope type, but this means that system readers and domain
readers can't list role assignments for the subtree of a project they
would otherwise have access to. Since the project ID is specified as a
query parameter and is not taken directly from the token context, it
makes sense to allow system readers and domain readers to make this
query.

Project members and readers should still be forbidden from getting role
assignment information on their own project or its subprojects, but
project admins should remain allowed to get this information.

** Affects: keystone
     Importance: High
         Status: Triaged


** Tags: default-roles policy system-scope

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1844461

Title:
  Role assignment list for subtree is only project scoped

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  The identity:list_role_assignment_for_subtree is limited to the
  'project' scope type, but this means that system readers and domain
  readers can't list role assignments for the subtree of a project they
  would otherwise have access to. Since the project ID is specified as a
  query parameter and is not taken directly from the token context, it
  makes sense to allow system readers and domain readers to make this
  query.

  Project members and readers should still be forbidden from getting
  role assignment information on their own project or its subprojects,
  but project admins should remain allowed to get this information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1844461/+subscriptions