Glance

  1. Bug #968696
  2. Comment #143

Comment 143 for bug 968696

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.opendev.org/676847
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ea7acd80362e27c44a299c70504c21fdc7953e21
Submitter: Zuul
Branch: master

commit ea7acd80362e27c44a299c70504c21fdc7953e21
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 15 18:39:41 2019 -0700

    Implement system reader role for trusts API

    Currently, the trusts API only allows the "project" scope type, and
    moreover inconsistently enforces different actions based on admin status
    or trustor/trustee relationship: for example, an "admin" can list all
    trusts but not filter by trustor or trustee and cannot get details for a
    single trust, not can they list or get trust roles. This patch changes
    the behavior of the trusts API to allow a system reader to list and get
    details for trusts and trust roles, where previously only a trustor or
    trustee could do so. This helps make the different actions in the trusts
    API consistent with one another and makes the API more useful to a
    deployment auditor. A subsequent patch will add system admin
    functionality.

    This change does not use the oslo.policy deprecation feature for the
    'identity:list_trusts_for_trustor' or 'identity:list_trusts_for_trustee'
    policies as those are new policies introduced in 7717ed3.

    Change-Id: I4e1482643e18fd46e937ffae8b3623cea2d2dd62
    Partial-bug: #1818850
    Partial-bug: #1818846
    Related-Bug: #968696