From 93b8b59e00d087f7029927453ec95cae70379b44 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 6 Dec 2017 21:00:08 +0000
Subject: [PATCH] Document scope_types for ec2 policies

The ec2 poicies are tricky because they require keystone to be
smarter about the scope of the token used when accessing those
APIs. Until keystone supports those policy checks in code, we
will leave these commented and track the work in a bug.

Change-Id: I180cd5425144e4410857f3f7811568502cd57abf
---
 keystone/common/policies/ec2_credential.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py
index c3a7c2deca..d417ab1e2c 100644
--- a/keystone/common/policies/ec2_credential.py
+++ b/keystone/common/policies/ec2_credential.py
@@ -18,6 +18,17 @@ ec2_credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_get_credential',
         check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
+        # FIXME(lbragstad): System administrator should be able to manage all
+        # ec2 credentials. Users with a system role assignment should be able
+        # to manage only ec2 credentials keystone can assert belongs to them.
+        # This is going to require keystone to have "scope" checks in code to
+        # ensure this is enforced properly. Until keystone has support for
+        # those cases in code, we're going to have to comment this out. This
+        # would be a good candidate for a user-scoped operation. If we provide
+        # scope_types in these policies without proper scope checks in code we
+        # could expose credentials to users who are not supposed to access
+        # them.
+        # scope_types=['system', 'project'],
         description='Show ec2 credential details.',
         operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
                               '{credential_id}'),
@@ -25,18 +36,26 @@ ec2_credential_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_list_credentials',
         check_str=base.RULE_ADMIN_OR_OWNER,
+        # FIXME(lbragstad): See the above comment as to why scope_types is
+        # commented out.
+        # scope_types=['system', 'project'],
         description='List ec2 credentials.',
         operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
                      'method': 'GET'}]),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_create_credential',
         check_str=base.RULE_ADMIN_OR_OWNER,
+        # FIXME(lbragstad): See the above comment as to why scope_types is
+        # commented out.
         description='Create ec2 credential.',
         operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2',
                      'method': 'POST'}]),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'ec2_delete_credential',
         check_str=base.RULE_ADMIN_OR_CREDENTIAL_OWNER,
+        # FIXME(lbragstad): See the above comment as to why scope_types is
+        # commented out.
+        # scope_types=['system', 'project'],
         description='Delete ec2 credential.',
         operations=[{'path': ('/v3/users/{user_id}/credentials/OS-EC2/'
                               '{credential_id}'),