Domains API should account for system-scope and default roles
Bug #1794376 reported by
Lance Bragstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lance Bragstad |
Bug Description
Keystone domains are an important resource that only system administrators, members, or readers should be able to manage. We should update the domain policies to include system-scoped test coverage and consumption of the new default roles in keystone.
System administrators should be able to:
- GET /v3/domains/
- GET /v3/damains/
- POST /v3/domains/
- PATCH /v3/domains/
- DELETE /v3/domains/
System members should be able to:
- GET /v3/domains/
- GET /v3/damains/
- PATCH /v3/domains/
System readers should be able to:
- GET /v3/domains/
- GET /v3/damains/
tags: | added: policy |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: default-roles system-scope |
Changed in keystone: | |
milestone: | none → stein-2 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/605485
Review: https:/