The ec2 credential API should account for different scopes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Vishakha Agarwal |
Bug Description
Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].
The following acceptance criteria describes how the v3 ec2 credential API should behave with tokens from multiple scopes:
GET /v3/users/
- Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
- Someone with a valid token should only be able to view credentials they've created
GET /v3/users/
- Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
- Someone with a valid token should only be able to list credentials associated to their user
POST /v3/users/
- Someone with a system role assignment that passes the check string should be able to create ec2 credentials for other users (system-scoped)
- Someone with a valid token should be able to create ec2 credentials for themselves
DELETE /v3/users/
- Someone with a system role assignment that passes the check string should be able to delete any ec2 credential in the deployment (system-scoped)
- Someone with a valid token should only be able to delete credentials associated to their user account
tags: | added: system-scope |
Changed in keystone: | |
assignee: | nobody → Vishakha Agarwal (vishakha.agarwal) |
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle) |
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal) |
Fix proposed to branch: master /review. openstack. org/607820
Review: https:/