yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1926347] [NEW] Add a configuration option so that horizon can be deployed to enforce scope

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <1926347@xxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Apr 2021 18:55:50 -0000
Reply-to: Bug 1926347 <1926347@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Now that keystone supports system-scope as well as default roles,
several upstream OpenStack services are updating their default policies
to be more secure [0].

Horizon may need to understand how these services are configured via
policy to present the proper panels to certain users (e.g., should the
admin panels be presented to project-admins modeling the old behavior or
should they only be presented to system-users?)

This bug is to track the work for horizon to evaluate the configuration
changes necessary to deploy secure RBAC. This topic was discussed during
the Xena PTG [1].

[0] Using system-scope to fix https://bugs.launchpad.net/glance/+bug/968696
[1] https://etherpad.opendev.org/p/policy-popup-xena-ptg

** Affects: horizon
     Importance: Undecided
         Status: New

** Description changed:

  Now that keystone supports system-scope as well as default roles,
  several upstream OpenStack services are updating their default policies
  to be more secure [0].
  
  Horizon may need to understand how these services are configured via
  policy to present the proper panels to certain users (e.g., should the
  admin panels be presented to project-admins modeling the old behavior or
  should they only be presented to system-users?)
  
  This bug is to track the work for horizon to evaluate the configuration
- changes necessary to deploy secure RBAC.
- 
+ changes necessary to deploy secure RBAC. This topic was discussed during
+ the Xena PTG [1].
  
  [0] Using system-scope to fix https://bugs.launchpad.net/glance/+bug/968696
+ [1] https://etherpad.opendev.org/p/policy-popup-xena-ptg

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1926347

Title:
  Add a configuration option so that horizon can be deployed to enforce
  scope

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Now that keystone supports system-scope as well as default roles,
  several upstream OpenStack services are updating their default
  policies to be more secure [0].

  Horizon may need to understand how these services are configured via
  policy to present the proper panels to certain users (e.g., should the
  admin panels be presented to project-admins modeling the old behavior
  or should they only be presented to system-users?)

  This bug is to track the work for horizon to evaluate the
  configuration changes necessary to deploy secure RBAC. This topic was
  discussed during the Xena PTG [1].

  [0] Using system-scope to fix https://bugs.launchpad.net/glance/+bug/968696
  [1] https://etherpad.opendev.org/p/policy-popup-xena-ptg

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1926347/+subscriptions