From 6c96675d63257d7ef2c27c5598c642efa7a25d08 Mon Sep 17 00:00:00 2001 From: Matthew Edmonds Date: Mon, 10 Jul 2017 09:20:18 -0400 Subject: [PATCH] fix identity:get_identity_providers typo Changes identity:get_identity_providers policy rule to identity:get_identity_provider to match what is checked by the code. Conflicts: keystone/common/policies/identity_provider.py There was a conflict backporting this change since the policy-in-code work in new in Pike. The conflict was resolved by removing the policy-in-code change and making it manually against the old etc/policy.json file. Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1 Closes-Bug: #1703369 (cherry picked from commit b7119637a04d0a07fa6419a407f433c01bbd1db2) --- doc/source/policy_mapping.rst | 2 +- etc/policy.json | 2 +- etc/policy.v3cloudsample.json | 2 +- releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml | 11 +++++++++++ 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml diff --git a/doc/source/policy_mapping.rst b/doc/source/policy_mapping.rst index d3368fc929..eed57fde46 100644 --- a/doc/source/policy_mapping.rst +++ b/doc/source/policy_mapping.rst @@ -146,7 +146,7 @@ identity:remove_endpoint_group_from_project DELETE /v3/OS-EP-FILT identity:create_identity_provider PUT /v3/OS-FEDERATION/identity_providers/{idp_id} identity:list_identity_providers GET /v3/OS-FEDERATION/identity_providers -identity:get_identity_providers GET /v3/OS-FEDERATION/identity_providers/{idp_id} +identity:get_identity_provider GET /v3/OS-FEDERATION/identity_providers/{idp_id} identity:update_identity_provider PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} identity:delete_identity_provider DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} diff --git a/etc/policy.json b/etc/policy.json index ddf2396272..efa84e9a34 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -147,7 +147,7 @@ "identity:create_identity_provider": "rule:admin_required", "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", + "identity:get_identity_provider": "rule:admin_required", "identity:update_identity_provider": "rule:admin_required", "identity:delete_identity_provider": "rule:admin_required", diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 9ba7173809..6c5bc0b1c0 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -174,7 +174,7 @@ "identity:create_identity_provider": "rule:cloud_admin", "identity:list_identity_providers": "rule:cloud_admin", - "identity:get_identity_providers": "rule:cloud_admin", + "identity:get_identity_provider": "rule:cloud_admin", "identity:update_identity_provider": "rule:cloud_admin", "identity:delete_identity_provider": "rule:cloud_admin", diff --git a/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml new file mode 100644 index 0000000000..2d93d16ec0 --- /dev/null +++ b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml @@ -0,0 +1,11 @@ +--- +security: + - | + [`bug 1703369 `_] + There was a typo for the identity:get_identity_provider rule in the + default ``policy.json`` file in previous releases. The default value for + that rule was the same as the default value for the default rule + (restricted to admin) so this typo was not readily apparent. Anyone + customizing this rule should review their settings and confirm that + they did not copy that typo. More context regarding the purpose of this + backport can be found in the bug report.