Project tags should account for different scopes.

Bug #1844193 reported by Lance Bragstad
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad

Bug Description

Project resources in keystone can be tagged with simple strings called tags. Operations for managing a project's tags should only be managed by system administrators and not project-level or domain-level users.

The policies that protect project tags should understand system-scope [0].


tags: added: policy system-scope
Colleen Murphy (krinkle)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
milestone: none → train-rc1
Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
Revision history for this message
Lance Bragstad (lbragstad) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Submitter: Zuul
Branch: master

commit 8e67249d5bfb07b0a236189f62b3f338532f0df0
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000

    Add default roles and scope checking to project tags

    This commit makes it so that project tags adhere to system-scope and
    also incorporates default roles into the policy checks by default.

    Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
    Closes-Bug: 1844194
    Closes-Bug: 1844193
    Related-Bug: 1806762

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers