Project Endpoints should account for system scope and default roles

Bug #1844664 reported by Vishakha Agarwal
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Colleen Murphy

Bug Description

Project resources in keystone can be tagged with endpoints. Operations for managing project endpoints should only be managed by system administrators and not project-level or domain-level users.

The policies that protect the project endpoints should understand system-scope [0].

[0] https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project_endpoint.py#L19-L66

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/683153

Changed in keystone:
status: New → In Progress
summary: - Project Endpoints should account for system scopes
+ Project Endpoints should account for system scope and default roles
tags: added: policy
tags: added: default-roles system-scope
Changed in keystone:
importance: Undecided → High
milestone: none → train-rc1
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/683153
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c9148db371dfa449830d2fbe7c1345135ebddf3f
Submitter: Zuul
Branch: master

commit c9148db371dfa449830d2fbe7c1345135ebddf3f
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 19 18:45:30 2019 +0530

    Implement scope type checking for Project Endpoints

    This change updates the Project Endpoints policies to understand
    the scope types for Project Endpoints. This adds the test cases
    too.

    Change-Id: Id18036325b2f5b8836076408ecdd64523b19cbba
    Closes-Bug: #1844664

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.