The v3 group API should account for different scopes

Bug #1808859 reported by Lance Bragstad on 2018-12-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Unassigned

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the group API. This is documented in each patch with FIXMEs [1].

System users should be able to manage groups across all domains in the deployment.
Domain users should be able to manage groups within the domain they have authorization on.
Project users shouldn't be able to manage groups at all, since group entities are domain-specific.

[0] https://review.openstack.org/#/c/525706/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

tags: added: policy
tags: added: system-scope
description: updated
Changed in keystone:
status: New → Triaged
importance: Undecided → High

Related fix proposed to branch: master
Review: https://review.openstack.org/625733

Related fix proposed to branch: master
Review: https://review.openstack.org/625734

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers