The ec2 credential API should account for different scopes

Bug #1750678 reported by Lance Bragstad on 2018-02-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Vishakha Agarwal

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 ec2 credential API should behave with tokens from multiple scopes:

GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

- Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
- Someone with a valid token should only be able to view credentials they've created

GET /v3/users/{user_id}/credentials/OS-EC2/

- Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
- Someone with a valid token should only be able to list credentials associated to their user

POST /v3/users/{user_id}/credentials/OS-EC2/

- Someone with a system role assignment that passes the check string should be able to create ec2 credentials for other users (system-scoped)
- Someone with a valid token should be able to create ec2 credentials for themselves

DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

- Someone with a system role assignment that passes the check string should be able to delete any ec2 credential in the deployment (system-scoped)
- Someone with a valid token should only be able to delete credentials associated to their user account

[0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/ec2_credential.py#L21-L31

Colleen Murphy (krinkle) on 2018-09-19
tags: added: system-scope
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.openstack.org/607820

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.opendev.org/681162

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Reviewed: https://review.opendev.org/607820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d009384c9b683008d572f9996e1fe4e5e5d82096
Submitter: Zuul
Branch: master

commit d009384c9b683008d572f9996e1fe4e5e5d82096
Author: Vishakha Agarwal <email address hidden>
Date: Thu Oct 4 12:39:32 2018 +0530

    Implement scope type checking for EC2 credentials

    This change updates the EC2 credentials policies to understand
    the scope types for EC2 credentials. A follow on patch will
    Remove obsolete credential policies.

    To maintain the compatibility with the old rule the
    equivalent ec2_list_credentials and ec2_get_credentials behaves
    inconsistently. Same for ec2_create_credentials and the
    ec2_delete_inconsistently.

    Change-Id: I090e2470726d22b2670a2cca89025063419f5262
    Partial-Bug: #1750678

Reviewed: https://review.opendev.org/681162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6435017c242d759ec18dac30d667f0e196e49f38
Submitter: Zuul
Branch: master

commit 6435017c242d759ec18dac30d667f0e196e49f38
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 10 11:57:13 2019 +0530

    Remove system EC2 credentials from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
    Partial-Bug: #1806762
    Closes-Bug: #1750678

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers