Project tags should account for different scopes.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| OpenStack Identity (keystone) |
High
|
Lance Bragstad |
Bug Description
Project resources in keystone can be tagged with simple strings called tags. Operations for managing a project's tags should only be managed by system administrators and not project-level or domain-level users.
The policies that protect project tags should understand system-scope [0].
tags: | added: policy system-scope |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → train-rc1 |
Changed in keystone: | |
status: | Triaged → In Progress |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
Lance Bragstad (lbragstad) wrote : | #1 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 8e67249d5bfb07b
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000
Add default roles and scope checking to project tags
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.
Change-Id: Ie36df5677a08d7
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
Changed in keystone: | |
status: | In Progress → Fix Released |
This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.
Patch in review: https:/ /review. opendev. org/#/c/ 682503/