File 0001-Restrict-certain-APIs-to-cloud-admin-in-domain-aware.patch of Package openstack-keystone
From 8d429080ddc05451f981687594c8c903da0ff0b2 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Wed, 15 Oct 2014 16:21:01 -0700
Subject: [PATCH 1/2] Restrict certain APIs to cloud admin in domain-aware
policy
Some of the APIs in the domain-aware policy file are currently
allowed by any "admin" user, when they should really be locked
down to the cloud admin. Without this, users who are a project
admin will be allowed to do things like manage regions, IdPs,
and other objects that they should not be allowed to touch.
Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c
Closes-bug: #1381809
(cherry picked from commit fdbad9f530ea4478d96437b021c9b5cc6d338901)
---
etc/policy.v3cloudsample.json | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index f746358..ced0c96 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -12,9 +12,9 @@
"identity:get_region": "",
"identity:list_regions": "",
- "identity:create_region": "rule:admin_or_cloud_admin",
- "identity:update_region": "rule:admin_or_cloud_admin",
- "identity:delete_region": "rule:admin_or_cloud_admin",
+ "identity:create_region": "rule:cloud_admin",
+ "identity:update_region": "rule:cloud_admin",
+ "identity:delete_region": "rule:cloud_admin",
"identity:get_service": "rule:admin_or_cloud_admin",
"identity:list_services": "rule:admin_or_cloud_admin",
@@ -143,23 +143,23 @@
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
- "identity:create_identity_provider": "rule:admin_required",
- "identity:list_identity_providers": "rule:admin_required",
- "identity:get_identity_providers": "rule:admin_required",
- "identity:update_identity_provider": "rule:admin_required",
- "identity:delete_identity_provider": "rule:admin_required",
-
- "identity:create_protocol": "rule:admin_required",
- "identity:update_protocol": "rule:admin_required",
- "identity:get_protocol": "rule:admin_required",
- "identity:list_protocols": "rule:admin_required",
- "identity:delete_protocol": "rule:admin_required",
-
- "identity:create_mapping": "rule:admin_required",
- "identity:get_mapping": "rule:admin_required",
- "identity:list_mappings": "rule:admin_required",
- "identity:delete_mapping": "rule:admin_required",
- "identity:update_mapping": "rule:admin_required",
+ "identity:create_identity_provider": "rule:cloud_admin",
+ "identity:list_identity_providers": "rule:cloud_admin",
+ "identity:get_identity_providers": "rule:cloud_admin",
+ "identity:update_identity_provider": "rule:cloud_admin",
+ "identity:delete_identity_provider": "rule:cloud_admin",
+
+ "identity:create_protocol": "rule:cloud_admin",
+ "identity:update_protocol": "rule:cloud_admin",
+ "identity:get_protocol": "rule:cloud_admin",
+ "identity:list_protocols": "rule:cloud_admin",
+ "identity:delete_protocol": "rule:cloud_admin",
+
+ "identity:create_mapping": "rule:cloud_admin",
+ "identity:get_mapping": "rule:cloud_admin",
+ "identity:list_mappings": "rule:cloud_admin",
+ "identity:delete_mapping": "rule:cloud_admin",
+ "identity:update_mapping": "rule:cloud_admin",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
--
2.3.7