OpenStack Identity (keystone)

  1. Bug #1818850
  2. Comment #12

Comment 12 for bug 1818850

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/676277
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a09163a3202c32f05cf636559a95fe45c6ea272b
Submitter: Zuul
Branch: master

commit a09163a3202c32f05cf636559a95fe45c6ea272b
Author: Colleen Murphy <email address hidden>
Date: Tue Aug 13 13:09:41 2019 -0700

    Move delete_trust enforcement to default policies

    Without this change, policy enforcement for the DELETE
    /OS-TRUST/trusts/{trust_id} API is hardcoded in the flask dispatcher
    code. This is a problem because this enforcement can't be controlled by
    the operator, as is the norm. Moreover, it makes the transition to
    system-scope and default-roles-aware policies more difficult because
    there's no sensible migration from "" to a logical role-based check
    string.

    This converts the hardcoded enforcement to enforcement via default
    policies for DELETE /OS-TRUST/trusts/{trust_id}. Currently only the
    trustor or the is_admin user can access this API (since the is_admin
    user bypasses the policy loading). This behavior will be changed in a
    future patch that will allow the system admin to access this API.

    This change does not use the formal oslo.policy deprecation system
    because "" OR'd with the new default is entirely useless as a policy.

    Change-Id: I1aaba72b69b389ffbfcf7d5b8cc70453ffa59e73
    Partial-bug: #1818850
    Partial-bug: #1818846