Self-service policies for credential APIs are broken in stable/rocky
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Guang Yee | ||
Rocky |
Fix Released
|
High
|
Guang Yee |
Bug Description
Service-service policies for credential APIs are broken in stable/rocky. More specifically, Get/Update/Delete no longer works with the following policies.
"identity:
"identity:
"identity:
This used to work in Pike and Queens because we pass the entity to policy enforcement via get_member_
https:/
However, in stable/rocky we no longer pass the entity as part of the target.
https:/
Therefore, any policy rule which has target.credential.* no longer works.
Stein seems to be working again as the problem was fixed as part of https:/
We'll need to fix stable/rocky by conveying the credential entity to the target again.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
summary: |
- Self-service policies for credential APIs are boken in stable/rocky + Self-service policies for credential APIs are broken in stable/rocky |
Changed in keystone: | |
status: | Triaged → Fix Committed |
assignee: | nobody → Guang Yee (guang-yee) |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Fix proposed to branch: stable/rocky /review. openstack. org/637341
Review: https:/