yahoo-eng-team team mailing list archive

[OpenStack Infra <1844193@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/682503
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8e67249d5bfb07b0a236189f62b3f338532f0df0
Submitter: Zuul
Branch:    master

commit 8e67249d5bfb07b0a236189f62b3f338532f0df0
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Mon Sep 16 22:11:06 2019 +0000

    Add default roles and scope checking to project tags
    
    This commit makes it so that project tags adhere to system-scope and
    also incorporates default roles into the policy checks by default.
    
    Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
    Closes-Bug: 1844194
    Closes-Bug: 1844193
    Related-Bug: 1806762


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1844193

Title:
  Project tags should account for different scopes.

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Project resources in keystone can be tagged with simple strings called
  tags. Operations for managing a project's tags should only be managed
  by system administrators and not project-level or domain-level users.

  The policies that protect project tags should understand system-scope
  [0].

  [0]
  https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project.py#L147-L210

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1844193/+subscriptions