keystone

History

Colleen Murphy bd3f637871 Fix credential list for project members Without this patch, project members and readers can list any credentials with the /v3/credentials API when enforce_scope is false. enforce_scope is only applicable to project admins due to the admin-ness problem[1], and this policy is not meant to allow project admins any access to users' credentials (only system admins should be able to access them). However, when enforce_scope is false, we need to preserve the old behavior of project admins being able to list all credentials. This change mitigates the problem by running the identity:get_credential policy check to filter out credentials the user does not have access to. This will impact performance. Closes-bug: #1855080 [1] https://bugs.launchpad.net/keystone/+bug/968696 Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef (cherry picked from commit `17c337dbdb`)	2019-12-06 02:57:02 +00:00
..
v3	Fix credential list for project members	2019-12-06 02:57:02 +00:00
__init__.py	Split protection unit tests into its own job	2019-09-16 10:56:42 -07:00

Colleen Murphy bd3f637871 Fix credential list for project members

Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.

Closes-bug: #1855080

[1] https://bugs.launchpad.net/keystone/+bug/968696

Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
(cherry picked from commit 17c337dbdb)

2019-12-06 02:57:02 +00:00

v3 Fix credential list for project members 2019-12-06 02:57:02 +00:00

__init__.py Split protection unit tests into its own job 2019-09-16 10:56:42 -07:00