Without this change, policy enforcement for the GET
/OS-TRUST/trusts/{trust_id}/roles/{role_id} API is hardcoded in the
flask dispatcher code. This is a problem because this enforcement can't
be controlled by the operator, as is the norm. Moreover, it makes the
transition to system-scope and default-roles-aware policies more
difficult because there's no sensible migration from "" to a logical
role-based check string.
This converts the hardcoded enforcement to enforcement via default
policies for GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}. The API
specifically blocks the is_admin user from using it, and since policies
aren't loaded for the is_admin user we need to continue explicitly
blocking it.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Reviewed: https:/ /review. opendev. org/676287 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=09e699baba8 9b94a020682ab7d 916d67360f4481
Committed: https:/
Submitter: Zuul
Branch: master
commit 09e699baba89b94 a020682ab7d916d 67360f4481
Author: Colleen Murphy <email address hidden>
Date: Tue Aug 13 15:49:30 2019 -0700
Move get_role_for_trust enforcement to policies
Without this change, policy enforcement for the GET TRUST/trusts/ {trust_ id}/roles/ {role_id} API is hardcoded in the
/OS-
flask dispatcher code. This is a problem because this enforcement can't
be controlled by the operator, as is the norm. Moreover, it makes the
transition to system-scope and default-roles-aware policies more
difficult because there's no sensible migration from "" to a logical
role-based check string.
This converts the hardcoded enforcement to enforcement via default trusts/ {trust_ id}/roles/ {role_id} . The API
policies for GET /OS-TRUST/
specifically blocks the is_admin user from using it, and since policies
aren't loaded for the is_admin user we need to continue explicitly
blocking it.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Change-Id: Ib5a6a87313aa7b 2a73211f512b8a8 c675a21b52f
Partial-bug: #1818850
Partial-bug: #1818846