Currently, the trusts API only allows the "project" scope type, and
moreover inconsistently enforces different actions based on admin status
or trustor/trustee relationship: for example, an "admin" can list all
trusts but not filter by trustor or trustee and cannot get details for a
single trust, not can they list or get trust roles. This patch changes
the behavior of the trusts API to allow a system reader to list and get
details for trusts and trust roles, where previously only a trustor or
trustee could do so. This helps make the different actions in the trusts
API consistent with one another and makes the API more useful to a
deployment auditor. A subsequent patch will add system admin
functionality.
This change does not use the oslo.policy deprecation feature for the
'identity:list_trusts_for_trustor' or 'identity:list_trusts_for_trustee'
policies as those are new policies introduced in 7717ed3.
Reviewed: https:/ /review. opendev. org/676847 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=ea7acd80362 e27c44a299c7050 4c21fdc7953e21
Committed: https:/
Submitter: Zuul
Branch: master
commit ea7acd80362e27c 44a299c70504c21 fdc7953e21
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 15 18:39:41 2019 -0700
Implement system reader role for trusts API
Currently, the trusts API only allows the "project" scope type, and
moreover inconsistently enforces different actions based on admin status
or trustor/trustee relationship: for example, an "admin" can list all
trusts but not filter by trustor or trustee and cannot get details for a
single trust, not can they list or get trust roles. This patch changes
the behavior of the trusts API to allow a system reader to list and get
details for trusts and trust roles, where previously only a trustor or
trustee could do so. This helps make the different actions in the trusts
API consistent with one another and makes the API more useful to a
deployment auditor. A subsequent patch will add system admin
functionality.
This change does not use the oslo.policy deprecation feature for the list_trusts_ for_trustor' or 'identity: list_trusts_ for_trustee'
'identity:
policies as those are new policies introduced in 7717ed3.
Change-Id: I4e1482643e18fd 46e937ffae8b362 3cea2d2dd62
Partial-bug: #1818850
Partial-bug: #1818846
Related-Bug: #968696