OpenStack Identity (keystone)

policy admin role too broad

Bug #1284922 reported by Fabio Giannetti on 2014-02-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Opinion	Wishlist	Fabio Giannetti

Bug Description

The policy.v3cloudsample.json file has a generic "admin_required": "role:admin" which is applied to several APIs allowing de facto other services with same generic "admin" role to perform Keystone calls.
Both Neutron and Glance define a simple admin role that can be used to perform Keystone protected calls.
Proposed changes:
1) remove "admin_required" and replace it with "rule:cloud_admin"
2) scope correctly the access to these api:

"identity:create_consumer": "rule:cloud_admin or rule:domain_admin",
    "identity:get_consumer": "rule:cloud_admin or rule:domain_admin",
    "identity:list_consumers": "rule:cloud_admin or rule:domain_admin",
    "identity:delete_consumer": "rule:cloud_admin or rule:domain_admin",
    "identity:update_consumer": "rule:cloud_admin or rule:domain_admin",

"identity:authorize_request_token": "rule:cloud_admin or rule:domain_admin",
    "identity:list_access_token_roles": "rule:cloud_admin or rule:domain_admin",
    "identity:get_access_token_role": "rule:cloud_admin or rule:domain_admin",
    "identity:list_access_tokens": "rule:cloud_admin or rule:domain_admin",
    "identity:get_access_token": "rule:cloud_admin or rule:domain_admin",
    "identity:delete_access_token": "rule:cloud_admin or rule:domain_admin",

"identity:list_projects_for_endpoint": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
    "identity:add_endpoint_to_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
    "identity:check_endpoint_in_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
    "identity:list_endpoints_for_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
    "identity:remove_endpoint_from_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",

"identity:create_identity_provider": "rule:cloud_admin or rule:domain_admin",
    "identity:list_identity_providers": "rule:cloud_admin or rule:domain_admin",
    "identity:get_identity_providers": "rule:cloud_admin or rule:domain_admin",
    "identity:update_identity_provider": "rule:cloud_admin or rule:domain_admin",
    "identity:delete_identity_provider": "rule:cloud_admin or rule:domain_admin",

"identity:create_protocol": "rule:cloud_admin or rule:domain_admin",
    "identity:update_protocol": "rule:cloud_admin or rule:domain_admin",
    "identity:get_protocol": "rule:cloud_admin or rule:domain_admin",
    "identity:list_protocols": "rule:cloud_admin or rule:domain_admin",
    "identity:delete_protocol": "rule:cloud_admin or rule:domain_admin",

"identity:create_mapping": "rule:cloud_admin",
    "identity:get_mapping": "rule:cloud_admin or rule:domain_admin",
    "identity:list_mappings": "rule:cloud_admin or rule:domain_admin",
    "identity:delete_mapping": "rule:cloud_admin",
    "identity:update_mapping": "rule:cloud_admin"

Fabio Giannetti (fabio-giannetti) on 2014-02-26

Changed in keystone:
assignee:	nobody → Fabio Giannetti (fabio-giannetti)

Dolph Mathews (dolph) on 2014-03-05

Changed in keystone:
importance:	Undecided → Wishlist
status:	New → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.