The v3 role API should account for different scopes

Bug #1805400 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Unassigned

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describe how the v3 role API should behave with tokens from multiple scopes.

GET /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

GET /roles

- Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

POST /roles

- Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

DELETE /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)

[0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: policy system-scope
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers