To recap the conversation and summarize what was discuss in IRC [0].
There is a security issue if a deployer modifies the default policy role required for an operation but wishes to keep the identity:get_identity_providers protected at the "admin-level". This was deemed as unlikely since the default and get_identity_provider were protected with the same admin_required rule.
For the sake of process, we can merge the proposed fix [1] with a detailed release note explaining the case. After that we can propose the patch to stable/ocata as well as stable/newton. Even though a deployer can technically issue this fix without a new release, the process of issuing a release note seems valuable at least for the sake of process.
To recap the conversation and summarize what was discuss in IRC [0].
There is a security issue if a deployer modifies the default policy role required for an operation but wishes to keep the identity: get_identity_ providers protected at the "admin-level". This was deemed as unlikely since the default and get_identity_ provider were protected with the same admin_required rule.
For the sake of process, we can merge the proposed fix [1] with a detailed release note explaining the case. After that we can propose the patch to stable/ocata as well as stable/newton. Even though a deployer can technically issue this fix without a new release, the process of issuing a release note seems valuable at least for the sake of process.
[0] http:// eavesdrop. openstack. org/irclogs/ %23openstack- keystone/ %23openstack- keystone. 2017-07- 11.log. html#t2017- 07-11T21: 26:46 /review. openstack. org/#/c/ 482142/
[1] https:/