d4a890a6c8
Currently any user can list revocation events, this data contains IDs for users and projects. It should not be made available to any user that is able to authenticate, it should be an admin only API call. Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212 Closes-Bug: 1649446
20 lines
732 B
YAML
20 lines
732 B
YAML
---
|
|
fixes:
|
|
- |
|
|
[`Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1651989>`_]
|
|
The default policy for listing revocation events has changed. Previously,
|
|
any authenticated user could list revocation events; it is now, by default,
|
|
an admin or service user only function. This can be changed by modifying
|
|
the policy file being used by keystone.
|
|
upgrade:
|
|
- |
|
|
[`Related to Bug 1649446 <https://bugs.launchpad.net/keystone/+bug/1649446>`_]
|
|
The ``identity:list_revoke_events`` rule has been changed in both sample
|
|
policy files, ``policy.json`` and ``policy.v3cloudsample.json``. From::
|
|
|
|
"identity:list_revoke_events": ""
|
|
|
|
To::
|
|
|
|
"identity:list_revoke_events": "rule:service_or_admin"
|