openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update keystone from branch 'master'
  to 7dc175a41f92e3f01cf26912431d0f2c98a03b32
  - Normalize policy checks for domain-scoped tokens
    
    This patch fixes an inconsistency in the policies for role_assignment
    where the target object used for policy enforcement was being created
    with different properties depending on the request query string.
    
    This required policies to be written in two differnt ways to validate
    domain IDs for domain-scoped requests.  e.g. checking for domain reader
    was using both:
    
        role:reader and domain_id:%(target.domain_id)s
    
    and
    
        role:reader and domain_id:%(target.project.domain_id)s
    
    With the former only being populated for GET /v3/role_assignments and
    the latter only being populated for GET
    /v3/role_assignments?scope.project.id=SOME_ID
    
    This patch fixes the target object so that only target.domain_id needs
    to be checked for domain-scoped tokens.
    
    Change-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c
This commit is contained in:
Douglas Mendizábal 2024-02-12 11:38:11 -06:00 committed by Gerrit Code Review
parent 18e8e80aaf
commit 3c5d1bf663
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
keystone

@ -1 +1 @@
Subproject commit db0ff104763b6da4d661bf0c5cc9814ea3f18fc8
Subproject commit 7dc175a41f92e3f01cf26912431d0f2c98a03b32