File 0001-Restrict-certain-APIs-to-cloud-admin-in-do... of Package openstack-keystone

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Restrict-certain-APIs-to-cloud-admin-in-domain-aware.patch of Package openstack-keystone

From 8d429080ddc05451f981687594c8c903da0ff0b2 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Wed, 15 Oct 2014 16:21:01 -0700
Subject: [PATCH 1/2] Restrict certain APIs to cloud admin in domain-aware
 policy

Some of the APIs in the domain-aware policy file are currently
allowed by any "admin" user, when they should really be locked
down to the cloud admin.  Without this, users who are a project
admin will be allowed to do things like manage regions, IdPs,
and other objects that they should not be allowed to touch.

Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c
Closes-bug: #1381809
(cherry picked from commit fdbad9f530ea4478d96437b021c9b5cc6d338901)
---
 etc/policy.v3cloudsample.json | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index f746358..ced0c96 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -12,9 +12,9 @@
 
     "identity:get_region": "",
     "identity:list_regions": "",
-    "identity:create_region": "rule:admin_or_cloud_admin",
-    "identity:update_region": "rule:admin_or_cloud_admin",
-    "identity:delete_region": "rule:admin_or_cloud_admin",
+    "identity:create_region": "rule:cloud_admin",
+    "identity:update_region": "rule:cloud_admin",
+    "identity:delete_region": "rule:cloud_admin",
 
     "identity:get_service": "rule:admin_or_cloud_admin",
     "identity:list_services": "rule:admin_or_cloud_admin",
@@ -143,23 +143,23 @@
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
+    "identity:create_identity_provider": "rule:cloud_admin",
+    "identity:list_identity_providers": "rule:cloud_admin",
+    "identity:get_identity_providers": "rule:cloud_admin",
+    "identity:update_identity_provider": "rule:cloud_admin",
+    "identity:delete_identity_provider": "rule:cloud_admin",
+
+    "identity:create_protocol": "rule:cloud_admin",
+    "identity:update_protocol": "rule:cloud_admin",
+    "identity:get_protocol": "rule:cloud_admin",
+    "identity:list_protocols": "rule:cloud_admin",
+    "identity:delete_protocol": "rule:cloud_admin",
+
+    "identity:create_mapping": "rule:cloud_admin",
+    "identity:get_mapping": "rule:cloud_admin",
+    "identity:list_mappings": "rule:cloud_admin",
+    "identity:delete_mapping": "rule:cloud_admin",
+    "identity:update_mapping": "rule:cloud_admin",
 
     "identity:get_auth_catalog": "",
     "identity:get_auth_projects": "",
-- 
2.3.7

Places

File 0001-Restrict-certain-APIs-to-cloud-admin-in-domain-aware.patch of Package openstack-keystone

Places