Oauth1 Consumer API doesn't use default roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Colleen Murphy |
Bug Description
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should.
The oauth consumer API is system-specific, and shouldn't be accessible to domain or project users. For example, system administrators should be able to create, delete, and update consumers, while members and readers should only be able to get and list consumers.
[0] http://
[1] http://
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: default-roles policy |
description: | updated |
We discussed this during the kesytone virtual midcycle. Bumping the priority of this to Low since we don't know of anyone using oauth1.
It would still be good to add support for member and reader roles, though.