Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.
Reviewed: https:/ /review. opendev. org/697355 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=17c337dbdbf b9d548ad531c2ad 0483c9bce5b98f
Committed: https:/
Submitter: Zuul
Branch: master
commit 17c337dbdbfb9d5 48ad531c2ad0483 c9bce5b98f
Author: Colleen Murphy <email address hidden>
Date: Wed Dec 4 10:51:05 2019 -0800
Fix credential list for project members
Without this patch, project members and readers can list any credentials get_credential policy check to
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:
filter out credentials the user does not have access to. This will
impact performance.
Closes-bug: #1855080
[1] https:/ /bugs.launchpad .net/keystone/ +bug/968696
Change-Id: I5dd85a6b836837 3a27aef2942a644 99d020662ef