OpenStack Identity (keystone)

The ec2 credential API should account for different scopes

Bug #1750678 reported by Lance Bragstad on 2018-02-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Vishakha Agarwal

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 ec2 credential API should behave with tokens from multiple scopes:

GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

- Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
- Someone with a valid token should only be able to view credentials they've created

GET /v3/users/{user_id}/credentials/OS-EC2/

- Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
- Someone with a valid token should only be able to list credentials associated to their user

POST /v3/users/{user_id}/credentials/OS-EC2/

- Someone with a system role assignment that passes the check string should be able to create ec2 credentials for other users (system-scoped)
- Someone with a valid token should be able to create ec2 credentials for themselves

DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

- Someone with a system role assignment that passes the check string should be able to delete any ec2 credential in the deployment (system-scoped)
- Someone with a valid token should only be able to delete credentials associated to their user account

[0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/ec2_credential.py#L21-L31

Tags:

Colleen Murphy (krinkle) on 2018-09-19

tags:

added: system-scope

Vishakha Agarwal (vishakha.agarwal) on 2018-10-02

Changed in keystone:
assignee:	nobody → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-04: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/607820

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-10:

Fix proposed to branch: master
Review: https://review.opendev.org/681162

OpenStack Infra (hudson-openstack) on 2019-09-11

Changed in keystone:
assignee:	Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

OpenStack Infra (hudson-openstack) on 2019-09-14

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-15: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/607820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d009384c9b683008d572f9996e1fe4e5e5d82096
Submitter: Zuul
Branch: master

commit d009384c9b683008d572f9996e1fe4e5e5d82096
Author: Vishakha Agarwal <email address hidden>
Date: Thu Oct 4 12:39:32 2018 +0530

Implement scope type checking for EC2 credentials

    This change updates the EC2 credentials policies to understand
    the scope types for EC2 credentials. A follow on patch will
    Remove obsolete credential policies.

    To maintain the compatibility with the old rule the
    equivalent ec2_list_credentials and ec2_get_credentials behaves
    inconsistently. Same for ec2_create_credentials and the
    ec2_delete_inconsistently.

Change-Id: I090e2470726d22b2670a2cca89025063419f5262
Partial-Bug: #1750678

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-15:

Reviewed: https://review.opendev.org/681162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6435017c242d759ec18dac30d667f0e196e49f38
Submitter: Zuul
Branch: master

commit 6435017c242d759ec18dac30d667f0e196e49f38
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 10 11:57:13 2019 +0530

Remove system EC2 credentials from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

    Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
    Partial-Bug: #1806762
    Closes-Bug: #1750678

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.