openstack/keystone
Code Issues Proposed changes
c4d6097788
keystone/releasenotes/notes/bug-1844461-08a8bdc5f613b88d.yaml
Colleen Murphy 05ea390c67 Allow system/domain scope for assignment tree list 
The comment regarding the scope_types setting for
identity:list_role_assignments_for_tree was incorrect: the project ID
for this request comes from a query parameter, not the token context,
and therefore it makes sense to allow system users and domain users to
call this API to get information about a project they have access to.
This change updates the default policy for this API and adds tests for
it.

For project scope, the admin role is still required, as project members
and project readers are typically not allowed rights to view the project
hierarchy.

Change-Id: If246298092940884a7b90e47cc9ce2f30da3e9e5
Closes-bug: #1844461
2019-09-20 16:15:16 +00:00

32 lines
1.5 KiB
YAML
Raw Blame History

---
features:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
Listing role assignments for a project subtree is now allowed by system
readers and domain readers in addition to project admins.
upgrade:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
The ``identity:list_role_assignments_for_subtree`` policy now allows system
and domain readers to list role assignments for a project subtree and
deprecates the old ``rule:admin_required`` policy check string. Please
consider the new policies if your deployment overrides role
assignment policies.
deprecations:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
The role assignment ``identity:list_role_assignments_for_subtree`` policy
now uses ``(role:reader and system_scope:all) or (role:reader and
domain_id:%(target.project.domain_id)s) or (role:admin and
project_id:%(target.project.id)s)`` instead of ``rule:admin_required``.
This new default automatically includes support for a read-only role
and allows for more granular access to the role assignment API. Please
consider this new default if your deployment overrides the role
assignment policies.
security:
- |
[`bug 1844461 <https://bugs.launchpad.net/keystone/+bug/1844461>`_]
Listing role assignments for a project subtree now uses system-scope,
domain-scope, project-scope, and default roles to provide better
accessbility to users in a secure way.
View Git Blame Copy Permalink