OpenStack Identity (keystone)

Application credential API doesn't use default roles

Bug #1818725 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Guang Yee

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should.

For example, system administrators should be able to clean up application credentials regardless of users, but system members or readers should only be able to list or get application credentials. Users who are not system users should only be able to manage their application credentials.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

See original description
Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
description: updated
tags: added: default-roles policy
Colleen Murphy (krinkle)
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle)
Changed in keystone:
milestone: stein-rc1 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/670926

Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/670926
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=52da4d0e129048d1b808bdde07364cde698cf475
Submitter: Zuul
Branch: master

commit 52da4d0e129048d1b808bdde07364cde698cf475
Author: Guang Yee <email address hidden>
Date: Mon Jul 15 16:57:21 2019 -0700

    implement system scope for application credential

    Implement system scopes, namely 'admin', 'reader', and 'member' for
    the application credential API. Thus, making it consistent with other
    system-scoped policy definitions.

    For the application credential API, the follow policies will be enforced:

    - system admin can fetch, list, lookup, and delete user's application
      credentials.
    - system member and reader can only fetch, list, and lookup user's application
      credentials. Deleting a user's application credential other their own is
      strictly prohibitted.
    - domain and project admins can no longer touch user's application credentials
      other their own.
    - domain and project readers cannot touch user's application credentials
      other their own.
    - domain and project members cannot touch user's application credentials
      other their own.
    - create an application credential can only be done by the owner. No one else
      can create an application credential on behalf of another user.

    Test cases are added to guard the above policy changes.

    Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe
    Closes-Bug: 1818725
    Closes-Bug: 1750615

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.