This might be serious for someone. Before this change, get_identity_provider method was protected only by "default" rule, and "get_identity_providers" rule in policy json was protecting nothing (because no such method exist in keystone. If some operator relied on changing the "get_identity_providers" rule, or on changing the "default" rule, they might be affected.
Luckily, it is hard to find out id of an identity provider. Getting an identity provider by an unprivileged user probably doesn't give out any useful info.
Fixing this bug will probably not break anybody; if it will, they probably have security vulnerability in their system.
This might be serious for someone. Before this change, get_identity_ provider method was protected only by "default" rule, and "get_identity_ providers" rule in policy json was protecting nothing (because no such method exist in keystone. If some operator relied on changing the "get_identity_ providers" rule, or on changing the "default" rule, they might be affected.
Luckily, it is hard to find out id of an identity provider. Getting an identity provider by an unprivileged user probably doesn't give out any useful info.
Fixing this bug will probably not break anybody; if it will, they probably have security vulnerability in their system.