OpenStack Identity (keystone)

  1. Bug #1818846
  2. Comment #15

Comment 15 for bug 1818846

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/676287
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=09e699baba89b94a020682ab7d916d67360f4481
Submitter: Zuul
Branch: master

commit 09e699baba89b94a020682ab7d916d67360f4481
Author: Colleen Murphy <email address hidden>
Date: Tue Aug 13 15:49:30 2019 -0700

    Move get_role_for_trust enforcement to policies

    Without this change, policy enforcement for the GET
    /OS-TRUST/trusts/{trust_id}/roles/{role_id} API is hardcoded in the
    flask dispatcher code. This is a problem because this enforcement can't
    be controlled by the operator, as is the norm. Moreover, it makes the
    transition to system-scope and default-roles-aware policies more
    difficult because there's no sensible migration from "" to a logical
    role-based check string.

    This converts the hardcoded enforcement to enforcement via default
    policies for GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}. The API
    specifically blocks the is_admin user from using it, and since policies
    aren't loaded for the is_admin user we need to continue explicitly
    blocking it.

    This change does not use the formal oslo.policy deprecation system
    because "" OR'd with the new default is entirely useless as a policy.

    Change-Id: Ib5a6a87313aa7b2a73211f512b8a8c675a21b52f
    Partial-bug: #1818850
    Partial-bug: #1818846