openstack
/
keystone
Code Issues Proposed changes
keystone/keystone/api
History
Colleen Murphy bd3f637871 Fix credential list for project members 
Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.

Closes-bug: #1855080

[1] https://bugs.launchpad.net/keystone/+bug/968696

Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
(cherry picked from commit 17c337dbdb)
 		2019-12-06 02:57:02 +00:00
..
_shared Replace 'tenant_id' with 'project_id' 2019-02-04 16:17:52 +01:00
__init__.py Revert "Add API for /v3/access_rules_config" 2019-05-28 08:38:39 -07:00
auth.py Merge "Add remote_id definition in _perform_auth" 2019-09-20 18:25:39 +00:00
credentials.py Fix credential list for project members 2019-12-06 02:57:02 +00:00
discovery.py Update API version for access rules 2019-09-14 03:14:45 -07:00
domains.py Allow an explicit_domain_id parameter when creating a domain 2019-04-09 16:29:52 +00:00
ec2tokens.py Make collection_key and member_key raise if unset 2018-10-12 11:18:41 -07:00
endpoints.py Convert auth to flask native dispatching 2018-10-09 23:23:03 -07:00
groups.py Add domain scope support for group policies 2019-03-27 17:15:00 +01:00
limits.py Allow domain users to access the limit API 2019-09-24 19:14:17 -07:00
os_ep_filter.py Allow to filter endpoint groups by name 2019-07-18 08:57:50 +02:00
os_federation.py Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD 2019-03-28 22:07:01 +00:00
os_inherit.py Add build_target arguement to enforcer 2018-09-28 15:50:44 -05:00
os_oauth1.py Fix oauthlib update errors 2019-09-05 11:48:41 -07:00
os_revoke.py Move json_home "extension" rel functions 2018-08-16 20:49:01 +00:00
os_simple_cert.py Fix missing print format and missing ws between words 2019-08-06 08:29:34 +08:00
policy.py Convert policy API to flask 2018-08-31 07:14:32 +00:00
projects.py Add default roles and scope checking to project tags 2019-09-19 02:48:39 +00:00
regions.py Convert regions API to flask native dispatching 2018-08-13 20:05:57 +00:00
registered_limits.py Add hint back 2018-09-20 14:58:43 +08:00
role_assignments.py Fix validation of role assignment subtree list 2019-09-17 23:12:47 -07:00
role_inferences.py Convert role_inferences API to flask native dispatching 2018-08-13 20:06:35 +00:00
roles.py Merge "Add hint back" 2018-10-03 21:51:14 +00:00
s3tokens.py Convert S3 and EC2 auth to flask native dispatching 2018-10-11 15:27:46 -07:00
services.py Convert services api to flask native dispatching 2018-08-13 20:06:11 +00:00
system.py Add build_target arguement to enforcer 2018-09-28 15:50:44 -05:00
trusts.py Add missing ws between words in log messages 2019-09-23 11:48:00 +08:00
users.py Merge "Clean up UserGroups target enforcement callback" 2019-09-24 18:33:36 +00:00