Browse Source

Remove system EC2 credentials from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
Partial-Bug: #1806762
Closes-Bug: #1750678
changes/62/681162/7
Vishakha Agarwal 2 years ago
parent
commit
6435017c24
  1. 3
      etc/policy.v3cloudsample.json
  2. 2
      keystone/tests/unit/test_policy.py
  3. 36
      releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml

3
etc/policy.v3cloudsample.json

@ -16,9 +16,6 @@
"identity:get_project_tag": "rule:admin_required",
"identity:list_project_tags": "rule:admin_required",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",

2
keystone/tests/unit/test_policy.py

@ -248,8 +248,10 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:delete_service_provider',
'identity:delete_trust',
'identity:delete_user',
'identity:ec2_create_credential',
'identity:ec2_delete_credential',
'identity:ec2_get_credential',
'identity:ec2_list_credentials',
'identity:get_access_rule',
'identity:get_access_token',
'identity:get_access_token_role',

36
releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml

@ -0,0 +1,36 @@
---
features:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API now supports the ``admin``,
``member``, and ``reader`` default roles.
upgrade:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API uses new default policies to
make it more accessible to end users and administrators in a secure way.
Please consider these new defaults if your deployment overrides EC2
credentials consumer policies.
deprecations:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials policies have been deprecated. The
``identity:ec2_get_credentials`` now use ``(role:reader and system_scope:all)
or user_id:%(target.credential.user_id)s`` instead of
``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use
``role:reader and system_scope:all or rule:owner`` instead of
``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use
``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s``
instead of ``rule:admin_required``and ``identity:ec2_create_credentials``
policies now use ``role:admin and system_scope:all or rule:owner`` instead of
``rule:admin_required``.
These new defaults automatically account for system-scope and support
a read-only role, making it easier for system administrators to delegate
subsets of responsibility without compromising security. Please consider
these new defaults if your deployment overrides the EC2 credentials policies.
security:
- |
[`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
The EC2 credentials API now uses system-scope and default
roles to provide better accessibility to users in a secure manner.
Loading…
Cancel
Save