Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API.
The trust API and trust entities require projects in order to be useful, but allowing system users to list or manage trusts would be useful for support personnel.
GET /v3/OS-TRUST/trusts or GET /v3/OS-TRUST/trusts/{trust_id}
For example, a system user should be able to list all trusts in the deployment, while project users should only be able to access that API for trusts they own.
POST /v3/OS-TRUST/trusts
Only project users should be able to call this API since trusts require a project in order to be useful
DELETE /v3/OS-TRUST/trusts/{trust_id}
This API should be accessible to system administrators and users attempting to delete their own trust.
Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API.
The trust API and trust entities require projects in order to be useful, but allowing system users to list or manage trusts would be useful for support personnel.
GET /v3/OS-TRUST/trusts or GET /v3/OS- TRUST/trusts/ {trust_ id}
For example, a system user should be able to list all trusts in the deployment, while project users should only be able to access that API for trusts they own.
POST /v3/OS-TRUST/trusts
Only project users should be able to call this API since trusts require a project in order to be useful
DELETE /v3/OS- TRUST/trusts/ {trust_ id}
This API should be accessible to system administrators and users attempting to delete their own trust.