Public bug reported: The sample policy.json files included in Keystone have the trust API operations listed. For example:
"identity:create_trust": "user_id:%(trust.trustor_user_id)s", "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:check_role_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", This implies that these trust operations are protected by policy, which is true but misleading. While policy does protect these operations, they are hardcoded to be very restrictive. Here are some examples from the controller code: ---------------------------------------------------------------------- @controller.protected() def delete_trust(self, context, trust_id): trust = self.trust_api.get_trust(trust_id) if not trust: raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _admin_trustor_only(context, trust, user_id) self.trust_api.delete_trust(trust_id) @controller.protected() def list_roles_for_trust(self, context, trust_id): trust = self.get_trust(context, trust_id)['trust'] if not trust: raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _trustor_trustee_only(trust, user_id) return {'roles': trust['roles'], 'links': trust['roles_links']} ---------------------------------------------------------------------- In the trust controller code, the following restrictions are currently hard-coded: create_trust - trustor only get_trust - trustor or trustee only l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts list_roles_for_trust - trustor or trustee only check_role_for_trust - trustor or trustee only get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust) delete_trust - admin or trustor only The policies in policy.json can make these operations more restricted, but not less restricted than the hard-coded restrictions. We can't simply remove these settings from policy.json, as that would cause the "default" rule to be used which makes trusts unusable in the case of the default "default" rule of "admin_required". This only leaves us with the option of clearly documenting the behavior IMHO. Unfortunately, JSON doesn't allow comments, so we can't just add nice comments right there in policy.json. I think that the correct approach is: - Add a general purpose paragraph to the RBAC section of doc/source/configuration.rst that states that some operations have hard- coded restrictions that policy is unable to circumvent. Mention that policy can still make these operations more restrictive. - Add documentation for the trust extension at keystone/doc/source/extensions/trust.rst that mentions the hard-coded restrictions for each trust operation. Documentation for the trust extension in this area is completely missing at this time. ** Affects: keystone Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1373599 Title: Trust operations in policy.json are misleading Status in OpenStack Identity (Keystone): Confirmed Bug description: The sample policy.json files included in Keystone have the trust API operations listed. For example: "identity:create_trust": "user_id:%(trust.trustor_user_id)s", "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:check_role_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", This implies that these trust operations are protected by policy, which is true but misleading. While policy does protect these operations, they are hardcoded to be very restrictive. Here are some examples from the controller code: ---------------------------------------------------------------------- @controller.protected() def delete_trust(self, context, trust_id): trust = self.trust_api.get_trust(trust_id) if not trust: raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _admin_trustor_only(context, trust, user_id) self.trust_api.delete_trust(trust_id) @controller.protected() def list_roles_for_trust(self, context, trust_id): trust = self.get_trust(context, trust_id)['trust'] if not trust: raise exception.TrustNotFound(trust_id=trust_id) user_id = self._get_user_id(context) _trustor_trustee_only(trust, user_id) return {'roles': trust['roles'], 'links': trust['roles_links']} ---------------------------------------------------------------------- In the trust controller code, the following restrictions are currently hard-coded: create_trust - trustor only get_trust - trustor or trustee only l ist_trusts - admin only to list all trusts, trustor or trustee only for related trusts list_roles_for_trust - trustor or trustee only check_role_for_trust - trustor or trustee only get_role_for_trust - trustor or trustee only (indirectly via check_role_for_trust) delete_trust - admin or trustor only The policies in policy.json can make these operations more restricted, but not less restricted than the hard-coded restrictions. We can't simply remove these settings from policy.json, as that would cause the "default" rule to be used which makes trusts unusable in the case of the default "default" rule of "admin_required". This only leaves us with the option of clearly documenting the behavior IMHO. Unfortunately, JSON doesn't allow comments, so we can't just add nice comments right there in policy.json. I think that the correct approach is: - Add a general purpose paragraph to the RBAC section of doc/source/configuration.rst that states that some operations have hard-coded restrictions that policy is unable to circumvent. Mention that policy can still make these operations more restrictive. - Add documentation for the trust extension at keystone/doc/source/extensions/trust.rst that mentions the hard-coded restrictions for each trust operation. Documentation for the trust extension in this area is completely missing at this time. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1373599/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp