The policy rules you're looking at apply to the v3 API, but the calls to
assert_admin() you've cited are part of the v2 API. The v3 API supports
fairly granular policy enforcement, but the v2 API is generally binary
(you're either "admin" or not, and all that policy does is define what
"admin" means).
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329385
Title:
Keystone doesn't respect policy rules for "grants"
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
Keystone's policy.json define rules to govern granting of roles into
Keystone:
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
While our default policy.json, today, enforces only "admin_required",
when changing the policy to enforce another rule, I found a hard-coded
check on all grant functions on Keystone's assignment module as
follows:
/keystone/keystone/assignment/controllers.py, lines 198, 211, 217, 230, 235,
246, 265, 286, 313 and 336:
self.assert_admin(context)
This function (keystone/keystone/common/wsgi.py line 256) tries to
identify if "is_admin" is in the context and, if not, enforces the
rule "admin_required" anyway. In sum, the code is ignoring the policy
rule.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329385/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
