keystone

History

Guang Yee 52da4d0e12 implement system scope for application credential Implement system scopes, namely 'admin', 'reader', and 'member' for the application credential API. Thus, making it consistent with other system-scoped policy definitions. For the application credential API, the follow policies will be enforced: - system admin can fetch, list, lookup, and delete user's application credentials. - system member and reader can only fetch, list, and lookup user's application credentials. Deleting a user's application credential other their own is strictly prohibitted. - domain and project admins can no longer touch user's application credentials other their own. - domain and project readers cannot touch user's application credentials other their own. - domain and project members cannot touch user's application credentials other their own. - create an application credential can only be done by the owner. No one else can create an application credential on behalf of another user. Test cases are added to guard the above policy changes. Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe Closes-Bug: 1818725 Closes-Bug: 1750615	2019-07-19 17:53:16 -07:00
..
notes	implement system scope for application credential	2019-07-19 17:53:16 -07:00
source	Ignore Stein-specific release notes	2019-04-05 07:20:32 -07:00

Guang Yee 52da4d0e12 implement system scope for application credential

Implement system scopes, namely 'admin', 'reader', and 'member' for
the application credential API. Thus, making it consistent with other
system-scoped policy definitions.

For the application credential API, the follow policies will be enforced:

- system admin can fetch, list, lookup, and delete user's application
  credentials.
- system member and reader can only fetch, list, and lookup user's application
  credentials. Deleting a user's application credential other their own is
  strictly prohibitted.
- domain and project admins can no longer touch user's application credentials
  other their own.
- domain and project readers cannot touch user's application credentials
  other their own.
- domain and project members cannot touch user's application credentials
  other their own.
- create an application credential can only be done by the owner. No one else
  can create an application credential on behalf of another user.

Test cases are added to guard the above policy changes.

Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe
Closes-Bug: 1818725
Closes-Bug: 1750615

2019-07-19 17:53:16 -07:00

notes

implement system scope for application credential

2019-07-19 17:53:16 -07:00

source

Ignore Stein-specific release notes

2019-04-05 07:20:32 -07:00