v3/credentials API is admin-only
Bug #1267096 reported by
Steven Hardy
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Alexey Miroshkin |
Bug Description
The default policy makes v3/credentials admin-only:
http://
But in the docs, we say "generic credential storage per user" which implies it's a user accessible interface.
Also, for the ec2 credential storage to work as a replacement for the ec2tokens API, it needs to be user-accessible.
Seems like a more appropriate restriction would be to enforce that the user_id in the request matches the token, or the user is admin, e.g use "admin_or_owner" instead of "admin_required"
Changed in keystone: | |
assignee: | nobody → wanghong (w-wanghong) |
Changed in keystone: | |
assignee: | wanghong (w-wanghong) → nobody |
Changed in keystone: | |
assignee: | nobody → Eric Brown (ericwb) |
Changed in keystone: | |
assignee: | Eric Brown (ericwb) → Alexey Miroshkin (amirosh) |
status: | Triaged → In Progress |
milestone: | none → juno-3 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
To post a comment you must log in.
I think when that policy was written, admin_or_owner wasn't yet implemented.