Public bug reported: see: http://lists.openstack.org/pipermail/openstack- dev/2017-September/122115.html
In short, the trusts APIs handle their policy in code rather than from the policy file. This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142 We should set better default policies, and change the code to respect the policy files rather than handle the policy checking based on hardcoded values. This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1717847 Title: Policy does not work for trusts Status in OpenStack Identity (keystone): New Bug description: see: http://lists.openstack.org/pipermail/openstack- dev/2017-September/122115.html In short, the trusts APIs handle their policy in code rather than from the policy file. This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142 We should set better default policies, and change the code to respect the policy files rather than handle the policy checking based on hardcoded values. This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1717847/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
