OpenStack Identity (keystone)

Project Endpoints should account for system scope and default roles

Bug #1844664 reported by Vishakha Agarwal on 2019-09-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Colleen Murphy	OpenStack Identity (keystone) train-rc1

Bug Description

Project resources in keystone can be tagged with endpoints. Operations for managing project endpoints should only be managed by system administrators and not project-level or domain-level users.

The policies that protect the project endpoints should understand system-scope [0].

[0] https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project_endpoint.py#L19-L66

Tags:

Vishakha Agarwal (vishakha.agarwal) on 2019-09-19

Changed in keystone:
assignee:	nobody → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/683153

Changed in keystone:
status:	New → In Progress

Lance Bragstad (lbragstad) on 2019-09-19

summary:	- Project Endpoints should account for system scopes + Project Endpoints should account for system scope and default roles
tags:	added: policy
tags:	added: default-roles system-scope
Changed in keystone:
importance:	Undecided → High
milestone:	none → train-rc1

OpenStack Infra (hudson-openstack) on 2019-09-19

Changed in keystone:
assignee:	Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-20: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/683153
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c9148db371dfa449830d2fbe7c1345135ebddf3f
Submitter: Zuul
Branch: master

commit c9148db371dfa449830d2fbe7c1345135ebddf3f
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 19 18:45:30 2019 +0530

Implement scope type checking for Project Endpoints

    This change updates the Project Endpoints policies to understand
    the scope types for Project Endpoints. This adds the test cases
    too.

Change-Id: Id18036325b2f5b8836076408ecdd64523b19cbba
Closes-Bug: #1844664

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.