Trust operations in policy.json are misleading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The sample policy.json files included in Keystone have the trust API operations listed. For example:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
This implies that these trust operations are protected by policy, which is true but misleading. While policy does protect these operations, they are hardcoded to be very restrictive. Here are some examples from the controller code:
-------
@controller
def delete_trust(self, context, trust_id):
trust = self.trust_
if not trust:
raise exception.
user_id = self._get_
@controller
def list_roles_
trust = self.get_
if not trust:
raise exception.
user_id = self._get_
return {'roles': trust['roles'],
-------
In the trust controller code, the following restrictions are currently hard-coded:
create_trust - trustor only
get_trust - trustor or trustee only
l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts
list_
check_
get_role_
delete_trust - admin or trustor only
The policies in policy.json can make these operations more restricted, but not less restricted than the hard-coded restrictions. We can't simply remove these settings from policy.json, as that would cause the "default" rule to be used which makes trusts unusable in the case of the default "default" rule of "admin_required". This only leaves us with the option of clearly documenting the behavior IMHO. Unfortunately, JSON doesn't allow comments, so we can't just add nice comments right there in policy.json. I think that the correct approach is:
- Add a general purpose paragraph to the RBAC section of doc/source/
- Add documentation for the trust extension at keystone/
Changed in keystone: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in keystone: | |
importance: | Undecided → Medium |
tags: | added: documentation user-experience |
Changed in keystone: | |
status: | Invalid → Fix Released |
I like your suggestions, in particular the ones surrounding documentation for trusts.