Without this change, policy enforcement for the GET
/OS-TRUST/trusts/{trust_id} API is hardcoded in the flask dispatcher
code. This is a problem because this enforcement can't be controlled by
the operator, as is the norm. Moreover, it makes the transition to
system-scope and default-roles-aware policies more difficult because
there's no sensible migration from "" to a logical role-based check
string.
This converts the hardcoded enforcement to enforcement via default
policies for GET /OS-TRUST/trusts/{trust_id}. The API specifically
blocks the is_admin user from using it, and since policies aren't loaded
for the is_admin user we need to continue explicitly blocking it.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Reviewed: https:/ /review. opendev. org/676283 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=b5617eee416 d168a674283e220 f67e2a9f174a19
Committed: https:/
Submitter: Zuul
Branch: master
commit b5617eee416d168 a674283e220f67e 2a9f174a19
Author: Colleen Murphy <email address hidden>
Date: Tue Aug 13 14:44:44 2019 -0700
Move get_trust enforcement to default policies
Without this change, policy enforcement for the GET TRUST/trusts/ {trust_ id} API is hardcoded in the flask dispatcher
/OS-
code. This is a problem because this enforcement can't be controlled by
the operator, as is the norm. Moreover, it makes the transition to
system-scope and default-roles-aware policies more difficult because
there's no sensible migration from "" to a logical role-based check
string.
This converts the hardcoded enforcement to enforcement via default trusts/ {trust_ id}. The API specifically
policies for GET /OS-TRUST/
blocks the is_admin user from using it, and since policies aren't loaded
for the is_admin user we need to continue explicitly blocking it.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Change-Id: I3c0718330d5a18 c0c79e8f1250920 0fd97a55913
Partial-bug: #1818850
Partial-bug: #1818846