From b7119637a04d0a07fa6419a407f433c01bbd1db2 Mon Sep 17 00:00:00 2001 From: Matthew Edmonds Date: Mon, 10 Jul 2017 09:20:18 -0400 Subject: [PATCH] fix identity:get_identity_providers typo Changes identity:get_identity_providers policy rule to identity:get_identity_provider to match what is checked by the code. Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1 Closes-Bug: #1703369 --- doc/source/getting-started/policy_mapping.rst | 2 +- etc/policy.v3cloudsample.json | 2 +- keystone/common/policies/identity_provider.py | 2 +- releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml | 11 +++++++++++ 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index 322d20e510..6fdc9089d8 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -146,7 +146,7 @@ identity:remove_endpoint_group_from_project DELETE /v3/OS-EP-FILT identity:create_identity_provider PUT /v3/OS-FEDERATION/identity_providers/{idp_id} identity:list_identity_providers GET /v3/OS-FEDERATION/identity_providers -identity:get_identity_providers GET /v3/OS-FEDERATION/identity_providers/{idp_id} +identity:get_identity_provider GET /v3/OS-FEDERATION/identity_providers/{idp_id} identity:update_identity_provider PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} identity:delete_identity_provider DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 9ba7173809..6c5bc0b1c0 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -174,7 +174,7 @@ "identity:create_identity_provider": "rule:cloud_admin", "identity:list_identity_providers": "rule:cloud_admin", - "identity:get_identity_providers": "rule:cloud_admin", + "identity:get_identity_provider": "rule:cloud_admin", "identity:update_identity_provider": "rule:cloud_admin", "identity:delete_identity_provider": "rule:cloud_admin", diff --git a/keystone/common/policies/identity_provider.py b/keystone/common/policies/identity_provider.py index c67bd39a05..d98cde805b 100644 --- a/keystone/common/policies/identity_provider.py +++ b/keystone/common/policies/identity_provider.py @@ -37,7 +37,7 @@ identity_provider_policies = [ ] ), policy.DocumentedRuleDefault( - name=base.IDENTITY % 'get_identity_providers', + name=base.IDENTITY % 'get_identity_provider', check_str=base.RULE_ADMIN_REQUIRED, description='Get identity provider.', operations=[ diff --git a/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml new file mode 100644 index 0000000000..b0c2f4488c --- /dev/null +++ b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml @@ -0,0 +1,11 @@ +--- +security: + - | + [`bug 1703369 `_] + There was a typo for the identity:get_identity_provider rule in the + default ``policy.json`` file in previous releases. The default value for + that rule was the same as the default value for the default rule + (restricted to admin) so this typo was not readily apparent. Anyone + customizing this rule should review their settings and confirm that + they did not copy that typo. Particularly given that the default rule + is being removed in Pike with the move of policy into code.