Public bug reported:
Keystone's policy.json define rules to govern granting of roles into
Keystone:
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
While our default policy.json, today, enforces only "admin_required",
when changing the policy to enforce another rule, I found a hard-coded
check on all grant functions on Keystone's assignment module as follows:
/keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235,
246, 265, 286, 313 and 336:
self.assert_admin(context)
This function (keystone/keystone/common/wsgi.py line 256) tries to
identify if "is_admin" is in the context and, if not, enforces the rule
"admin_required" anyway. In sum, the code is ignoring the policy rule.
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
Keystone's policy.json define rules to govern granting of roles into
Keystone:
- "identity:check_grant": "rule:admin_required",
- "identity:list_grants": "rule:admin_required",
- "identity:create_grant": "rule:admin_required",
- "identity:revoke_grant": "rule:admin_required",
+ "identity:check_grant": "rule:admin_required",
+ "identity:list_grants": "rule:admin_required",
+ "identity:create_grant": "rule:admin_required",
+ "identity:revoke_grant": "rule:admin_required",
While our default policy.json, today, enforces only "admin_required",
when changing the policy to enforce another rule, I found a hard-coded
check on all grant functions on Keystone's assignment module as follows:
/keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235,
246, 265, 286, 313 and 336:
- self.assert_admin(context)
+ self.assert_admin(context)
- This function (line 256) tries to identify if "is_admin" is in the
- context and, if not, enforces the rule "admin_required" anyway. In sum,
- the code is ignoring the policy rule.
+ This function (keystone/keystone/common/wsgi.py line 256) tries to
+ identify if "is_admin" is in the context and, if not, enforces the rule
+ "admin_required" anyway. In sum, the code is ignoring the policy rule.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329385
Title:
Keystone doesn't respect policy rules for "grants"
Status in OpenStack Identity (Keystone):
New
Bug description:
Keystone's policy.json define rules to govern granting of roles into
Keystone:
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
While our default policy.json, today, enforces only "admin_required",
when changing the policy to enforce another rule, I found a hard-coded
check on all grant functions on Keystone's assignment module as
follows:
/keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235,
246, 265, 286, 313 and 336:
self.assert_admin(context)
This function (keystone/keystone/common/wsgi.py line 256) tries to
identify if "is_admin" is in the context and, if not, enforces the
rule "admin_required" anyway. In sum, the code is ignoring the policy
rule.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329385/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
