2019-03-05 21:15:28 |
Lance Bragstad |
description |
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should.
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927 |
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should.
The oauth consumer API is system-specific, and shouldn't be accessible to domain or project users. For example, system administrators should be able to create, delete, and update consumers, while members and readers should only be able to get and list consumers.
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927 |
|