OpenStack Identity (keystone)

  1. Bug #1855080
  2. Comment #21

Comment 21 for bug 1855080

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/697611
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd3f63787151183f4daa43578aa491856fefae5b
Submitter: Zuul
Branch: stable/train

commit bd3f63787151183f4daa43578aa491856fefae5b
Author: Colleen Murphy <email address hidden>
Date: Wed Dec 4 10:51:05 2019 -0800

    Fix credential list for project members

    Without this patch, project members and readers can list any credentials
    with the /v3/credentials API when enforce_scope is false. enforce_scope
    is only applicable to project admins due to the admin-ness problem[1],
    and this policy is not meant to allow project admins any access to users'
    credentials (only system admins should be able to access them). However,
    when enforce_scope is false, we need to preserve the old behavior of
    project admins being able to list all credentials. This change mitigates
    the problem by running the identity:get_credential policy check to
    filter out credentials the user does not have access to. This will
    impact performance.

    Closes-bug: #1855080

    [1] https://bugs.launchpad.net/keystone/+bug/968696

    Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
    (cherry picked from commit 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f)