Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Juno:Staging
openstack-keystone
0001-Restrict-certain-APIs-to-cloud-admin-in-do...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Restrict-certain-APIs-to-cloud-admin-in-domain-aware.patch of Package openstack-keystone
From 8d429080ddc05451f981687594c8c903da0ff0b2 Mon Sep 17 00:00:00 2001 From: Nathan Kinder <nkinder@redhat.com> Date: Wed, 15 Oct 2014 16:21:01 -0700 Subject: [PATCH 1/2] Restrict certain APIs to cloud admin in domain-aware policy Some of the APIs in the domain-aware policy file are currently allowed by any "admin" user, when they should really be locked down to the cloud admin. Without this, users who are a project admin will be allowed to do things like manage regions, IdPs, and other objects that they should not be allowed to touch. Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c Closes-bug: #1381809 (cherry picked from commit fdbad9f530ea4478d96437b021c9b5cc6d338901) --- etc/policy.v3cloudsample.json | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index f746358..ced0c96 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -12,9 +12,9 @@ "identity:get_region": "", "identity:list_regions": "", - "identity:create_region": "rule:admin_or_cloud_admin", - "identity:update_region": "rule:admin_or_cloud_admin", - "identity:delete_region": "rule:admin_or_cloud_admin", + "identity:create_region": "rule:cloud_admin", + "identity:update_region": "rule:cloud_admin", + "identity:delete_region": "rule:cloud_admin", "identity:get_service": "rule:admin_or_cloud_admin", "identity:list_services": "rule:admin_or_cloud_admin", @@ -143,23 +143,23 @@ "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required", - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", + "identity:create_identity_provider": "rule:cloud_admin", + "identity:list_identity_providers": "rule:cloud_admin", + "identity:get_identity_providers": "rule:cloud_admin", + "identity:update_identity_provider": "rule:cloud_admin", + "identity:delete_identity_provider": "rule:cloud_admin", + + "identity:create_protocol": "rule:cloud_admin", + "identity:update_protocol": "rule:cloud_admin", + "identity:get_protocol": "rule:cloud_admin", + "identity:list_protocols": "rule:cloud_admin", + "identity:delete_protocol": "rule:cloud_admin", + + "identity:create_mapping": "rule:cloud_admin", + "identity:get_mapping": "rule:cloud_admin", + "identity:list_mappings": "rule:cloud_admin", + "identity:delete_mapping": "rule:cloud_admin", + "identity:update_mapping": "rule:cloud_admin", "identity:get_auth_catalog": "", "identity:get_auth_projects": "", -- 2.3.7
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor