openstack
/
keystone
Code Issues Proposed changes

Update patch set 1 

Patch Set 1:

(1 comment)

Patch-set: 1
CC: Gerrit User 8556 <8556@4a232e18-c5a9-48ee-94c0-e04e7cca6543>
Attention: {"person_ident":"Gerrit User 9816 \u003c9816@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"ADD","reason":"\u003cGERRIT_ACCOUNT_8556\u003e replied on the change"}
This commit is contained in:
Gerrit User 8556 2024-04-18 22:18:38 +00:00 committed by Gerrit Code Review
parent 9cd7f4dcaf
commit 1e800cab12
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
04a71d340fa95ccc0f883fd0bc12cecb87b9d76e
View File

@ -22,6 +22,30 @@
},
"revId": "04a71d340fa95ccc0f883fd0bc12cecb87b9d76e",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "73408891_d6178b90",
"filename": "keystone/common/policies/credential.py",
"patchSetId": 1
},
"lineNbr": 57,
"author": {
"id": 8556
},
"writtenOn": "2024-04-18T22:18:38Z",
"side": 1,
"message": "I think this was the same case earlier also where admin in any domain can see creds of all users? \n\n- https://review.opendev.org/c/openstack/keystone/+/916130/1/keystone/common/policies/credential.py#b24\n\nand is not the case for project admin also? I mean project admin can see all creds of other domain also?\n\nAt least seeing the test, it seem so\n\n- https://github.com/openstack/keystone-tempest-plugin/blob/c0ae2d9930bad1f9e041d85b17e32eb5a9466079/keystone_tempest_plugin/tests/rbac/v3/test_credential.py#L436\n\nIn below logs we can see project admin able to get all the creds of all users\n- https://zuul.opendev.org/t/openstack/build/9beac21cbc17449aa272bfcb794a1824/log/controller/logs/tempest_log.txt#13229-13233\n\nI am not 100% sure why domain scope was not added in new RBAC at first place. We have not solved the domain admin restriction issue yet which require a global domian admin role vs domain admin. We have discussed it many times in past but there is no solution for domain admin isolation yet and we are keeping the same behavior in new RBAC also.",
"parentUuid": "b165a477_17b07e0c",
"range": {
"startLine": 57,
"startChar": 23,
"endLine": 57,
"endChar": 59
},
"revId": "04a71d340fa95ccc0f883fd0bc12cecb87b9d76e",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
}
]
}