Domain config API doesn't use default roles
Bug #1805366 reported by
Lance Bragstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Vishakha Agarwal |
Bug Description
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The domain configuration API doesn't incorporate these defaults into its default policies [1], but it should.
[0] http://
[1] http://
tags: | added: default-roles policy |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | nobody → Vishakha Agarwal (vishakha.agarwal) |
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle) |
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal) |
To post a comment you must log in.
We talked about this during the keystone virtual midcycle and wanted to note that the domain config API also has an API/policy that allows users to pull password security requirements for a domain.
This API and policy should be updated to also support domain-scoped tokens. Otherwise, the entire domain config API is system-specific and should remain that way in the future for security reasons (a domain admin shouldn't be able to set deployment configuration).
https:/ /opendev. org/openstack/ keystone/ src/branch/ master/ keystone/ common/ policies/ domain_ config. py#L74- L101