yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1844461] Re: Role assignment list for subtree is only project scoped

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1844461@xxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Sep 2019 11:06:00 -0000
Reply-to: Bug 1844461 <1844461@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/682762
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=05ea390c67da8056bd0cb4445f4f030d8181aaf6
Submitter: Zuul
Branch:    master

commit 05ea390c67da8056bd0cb4445f4f030d8181aaf6
Author: Colleen Murphy <colleen.murphy@xxxxxxx>
Date:   Tue Sep 17 15:47:35 2019 -0700

    Allow system/domain scope for assignment tree list
    
    The comment regarding the scope_types setting for
    identity:list_role_assignments_for_tree was incorrect: the project ID
    for this request comes from a query parameter, not the token context,
    and therefore it makes sense to allow system users and domain users to
    call this API to get information about a project they have access to.
    This change updates the default policy for this API and adds tests for
    it.
    
    For project scope, the admin role is still required, as project members
    and project readers are typically not allowed rights to view the project
    hierarchy.
    
    Change-Id: If246298092940884a7b90e47cc9ce2f30da3e9e5
    Closes-bug: #1844461


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1844461

Title:
  Role assignment list for subtree is only project scoped

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The identity:list_role_assignment_for_subtree is limited to the
  'project' scope type, but this means that system readers and domain
  readers can't list role assignments for the subtree of a project they
  would otherwise have access to. Since the project ID is specified as a
  query parameter and is not taken directly from the token context, it
  makes sense to allow system readers and domain readers to make this
  query.

  Project members and readers should still be forbidden from getting
  role assignment information on their own project or its subprojects,
  but project admins should remain allowed to get this information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1844461/+subscriptions

References

[Bug 1844461] [NEW] Role assignment list for subtree is only project scoped
From: Colleen Murphy, 2019-09-17