Keystone V2 API does not use the policy.json for RBAC

Bug #1350879 reported by John Trowbridge on 2014-07-31
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

The Keystone V2 API does not allow for granular editing of the RBAC rules.
For example, allowing members of a project to list the API endpoints.

In other OpenStack projects this is done through the policy.json file, and the Keystone V3 API uses this file to determine RBAC.

I would propose that Keystone V2 API use this policy for at least listing the API endpoints. This information is already visible through the dashboard to any member of a project. This will allow for users to optionally allow non-admin API access to list the API endpoints.

Fix proposed to branch: master

Changed in keystone:
assignee: nobody → John Trowbridge (trown)
status: New → In Progress

Fix proposed to branch: master

John Trowbridge (trown) on 2014-07-31
tags: added: havana-backport-potential
tags: added: icehouse-backport-potential
Dolph Mathews (dolph) on 2014-07-31
Changed in keystone:
importance: Undecided → Wishlist

Change abandoned by John Trowbridge (<email address hidden>) on branch: master
Reason: Changed commit message to comply with PEP8

tags: removed: havana-backport-potential

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Reason: Discussed with nkinder on IRC, bug reporter (from within redhat) has confirmed this is not needed.

Morgan Fainberg (mdrnstm) wrote :

While the review that was attached to this bug is no longer needed (as described by the reason for abandonment), this bug is still a valid concern until we have a definitive timeline on deprecating the V2 API.

Changed in keystone:
status: In Progress → Confirmed
assignee: John Trowbridge (trown) → nobody
tags: removed: icehouse-backport-potential
Steve Martinelli (stevemar) wrote :

v2 has been deprecated. v3 provides much finer RBAC control and should be used for just this reason.

Changed in keystone:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers