The v3 trust API should account for different scopes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Colleen Murphy |
Bug Description
Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API.
The trust API and trust entities require projects in order to be useful, but allowing system users to list or manage trusts would be useful for support personnel.
GET /v3/OS-TRUST/trusts or GET /v3/OS-
For example, a system user should be able to list all trusts in the deployment, while project users should only be able to access that API for trusts they own.
POST /v3/OS-TRUST/trusts
Only project users should be able to call this API since trusts require a project in order to be useful
DELETE /v3/OS-
This API should be accessible to system administrators and users attempting to delete their own trust. This work might also present us with an opportunity to remove some of the logic in the trust API layer, in favor of something that's more commonly used across keystone APIs [0].
tags: | added: policy system-scope |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Low |
description: | updated |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
milestone: | stein-rc1 → none |
Changed in keystone: | |
assignee: | nobody → Colleen Murphy (krinkle) |
Fix proposed to branch: master /review. opendev. org/675720
Review: https:/