The v3 role API should account for different scopes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Colleen Murphy |
Bug Description
Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].
The following acceptance criteria describe how the v3 role API should behave with tokens from multiple scopes.
GET /roles/{role_id}
- Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)
GET /roles
- Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)
POST /roles
- Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)
DELETE /roles/{role_id}
- Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: policy system-scope |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Triaged → In Progress |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
milestone: | stein-rc1 → stein-rc2 |
https:/ /review. openstack. org/#/c/ 622526/ and https:/ /review. openstack. org/#/c/ 622524/ partially fix this.