Project Endpoints should account for system scope and default roles

Bug #1844664 reported by Vishakha Agarwal on 2019-09-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Colleen Murphy

Bug Description

Project resources in keystone can be tagged with endpoints. Operations for managing project endpoints should only be managed by system administrators and not project-level or domain-level users.

The policies that protect the project endpoints should understand system-scope [0].

[0] https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project_endpoint.py#L19-L66

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/683153

Changed in keystone:
status: New → In Progress
summary: - Project Endpoints should account for system scopes
+ Project Endpoints should account for system scope and default roles
tags: added: policy
tags: added: default-roles system-scope
Changed in keystone:
importance: Undecided → High
milestone: none → train-rc1
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

Reviewed: https://review.opendev.org/683153
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c9148db371dfa449830d2fbe7c1345135ebddf3f
Submitter: Zuul
Branch: master

commit c9148db371dfa449830d2fbe7c1345135ebddf3f
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 19 18:45:30 2019 +0530

    Implement scope type checking for Project Endpoints

    This change updates the Project Endpoints policies to understand
    the scope types for Project Endpoints. This adds the test cases
    too.

    Change-Id: Id18036325b2f5b8836076408ecdd64523b19cbba
    Closes-Bug: #1844664

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers