From 6435017c242d759ec18dac30d667f0e196e49f38 Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Tue, 10 Sep 2019 11:57:13 +0530 Subject: [PATCH] Remove system EC2 credentials from policy.v3cloudsample.json By relying on system-scope and default roles, these policies are now obsolete. Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9 Partial-Bug: #1806762 Closes-Bug: #1750678 --- etc/policy.v3cloudsample.json | 3 -- keystone/tests/unit/test_policy.py | 2 ++ .../notes/bug-1750678-88a38851ca80fc64.yaml | 36 +++++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 8487a34a47..df060863ad 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -16,9 +16,6 @@ "identity:get_project_tag": "rule:admin_required", "identity:list_project_tags": "rule:admin_required", - "identity:ec2_list_credentials": "rule:admin_required or rule:owner", - "identity:ec2_create_credential": "rule:admin_required or rule:owner", - "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index 67df10ecf3..481973640a 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -248,8 +248,10 @@ class PolicyJsonTestCase(unit.TestCase): 'identity:delete_service_provider', 'identity:delete_trust', 'identity:delete_user', + 'identity:ec2_create_credential', 'identity:ec2_delete_credential', 'identity:ec2_get_credential', + 'identity:ec2_list_credentials', 'identity:get_access_rule', 'identity:get_access_token', 'identity:get_access_token_role', diff --git a/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml b/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml new file mode 100644 index 0000000000..2c45856c6d --- /dev/null +++ b/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml @@ -0,0 +1,36 @@ +--- +features: + - | + [`bug 1750678 `_] + The EC2 credentials API now supports the ``admin``, + ``member``, and ``reader`` default roles. + +upgrade: + - | + [`bug 1750678 `_] + The EC2 credentials API uses new default policies to + make it more accessible to end users and administrators in a secure way. + Please consider these new defaults if your deployment overrides EC2 + credentials consumer policies. +deprecations: + - | + [`bug 1750678 `_] + The EC2 credentials policies have been deprecated. The + ``identity:ec2_get_credentials`` now use ``(role:reader and system_scope:all) + or user_id:%(target.credential.user_id)s`` instead of + ``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use + ``role:reader and system_scope:all or rule:owner`` instead of + ``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use + ``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s`` + instead of ``rule:admin_required``and ``identity:ec2_create_credentials`` + policies now use ``role:admin and system_scope:all or rule:owner`` instead of + ``rule:admin_required``. + These new defaults automatically account for system-scope and support + a read-only role, making it easier for system administrators to delegate + subsets of responsibility without compromising security. Please consider + these new defaults if your deployment overrides the EC2 credentials policies. +security: + - | + [`bug 1750678 `_] + The EC2 credentials API now uses system-scope and default + roles to provide better accessibility to users in a secure manner.