Project tags should account for different scopes.

Bug #1844193 reported by Lance Bragstad on 2019-09-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad

Bug Description

Project resources in keystone can be tagged with simple strings called tags. Operations for managing a project's tags should only be managed by system administrators and not project-level or domain-level users.

The policies that protect project tags should understand system-scope [0].

[0] https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project.py#L147-L210

tags: added: policy system-scope
Colleen Murphy (krinkle) on 2019-09-16
Changed in keystone:
status: New → Triaged
importance: Undecided → High
milestone: none → train-rc1
Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)

Reviewed: https://review.opendev.org/682503
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8e67249d5bfb07b0a236189f62b3f338532f0df0
Submitter: Zuul
Branch: master

commit 8e67249d5bfb07b0a236189f62b3f338532f0df0
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000

    Add default roles and scope checking to project tags

    This commit makes it so that project tags adhere to system-scope and
    also incorporates default roles into the policy checks by default.

    Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
    Closes-Bug: 1844194
    Closes-Bug: 1844193
    Related-Bug: 1806762

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers