OpenStack Identity (keystone)

v3/credentials API is admin-only

Bug #1267096 reported by Steven Hardy on 2014-01-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Alexey Miroshkin	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

The default policy makes v3/credentials admin-only:

http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n59

But in the docs, we say "generic credential storage per user" which implies it's a user accessible interface.

Also, for the ec2 credential storage to work as a replacement for the ec2tokens API, it needs to be user-accessible.

Seems like a more appropriate restriction would be to enforce that the user_id in the request matches the token, or the user is admin, e.g use "admin_or_owner" instead of "admin_required"

See original description

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-01-22:

I think when that policy was written, admin_or_owner wasn't yet implemented.

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

wanghong (w-wanghong) on 2014-03-03

Changed in keystone:
assignee:	nobody → wanghong (w-wanghong)

wanghong (w-wanghong) on 2014-03-04

Changed in keystone:
assignee:	wanghong (w-wanghong) → nobody

Eric Brown (ericwb) on 2014-05-31

Changed in keystone:
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-06-20:

Is this one still being worked?

description:

updated

Revision history for this message

Ajaya Agrawal (ajayaa) wrote on 2014-08-12:

lbragstad:
https://review.openstack.org/#/c/113232/

Dolph Mathews (dolph) on 2014-08-12

Changed in keystone:
assignee:	Eric Brown (ericwb) → Alexey Miroshkin (amirosh)
status:	Triaged → In Progress
milestone:	none → juno-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-19: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/113232
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=00597be4cca64b9aa691d6a135698f09af455cd7
Submitter: Jenkins
Branch: master

commit 00597be4cca64b9aa691d6a135698f09af455cd7
Author: Alexey Miroshkin <email address hidden>
Date: Mon Aug 11 15:39:17 2014 +0400

Enable filtering of credentials by user ID

    A credentials entity has a user_id attribute. Currently the lack of a
    filter of user_id means that we cannot use the keystone policy file to
    enable users to have access to (only) their credentials. This fix solves
    it by adding such a filter:

    List credentials: `GET /credentials`
    Optional query parameters:
    - `user_id` (string)

Implements: blueprint filter-credentials-by-user

Closes-Bug: #1267096

Change-Id: Iff016fac37b50d55d77ec7511aae4e57af34f08f

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-04

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.