keystone

History

Colleen Murphy 17947516b0 Fix credential list for project members Without this patch, project members and readers can list any credentials with the /v3/credentials API when enforce_scope is false. enforce_scope is only applicable to project admins due to the admin-ness problem[1], and this policy is not meant to allow project admins any access to users' credentials (only system admins should be able to access them). However, when enforce_scope is false, we need to preserve the old behavior of project admins being able to list all credentials. This change mitigates the problem by running the identity:get_credential policy check to filter out credentials the user does not have access to. This will impact performance. Closes-bug: #1855080 [1] https://bugs.launchpad.net/keystone/+bug/968696 Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef (cherry picked from commit `17c337dbdb`) (cherry picked from commit `bd3f637871`)	2019-12-06 14:25:23 -08:00
..
notes	Fix credential list for project members	2019-12-06 14:25:23 -08:00
source	Merge "Update reno for stable/rocky"	2018-08-10 06:47:06 +00:00

Colleen Murphy 17947516b0 Fix credential list for project members

Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.

Closes-bug: #1855080

[1] https://bugs.launchpad.net/keystone/+bug/968696

Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
(cherry picked from commit 17c337dbdb)
(cherry picked from commit bd3f637871)

2019-12-06 14:25:23 -08:00

notes Fix credential list for project members 2019-12-06 14:25:23 -08:00

source Merge "Update reno for stable/rocky" 2018-08-10 06:47:06 +00:00