openstack
/
keystone
Code Issues Proposed changes
keystone/keystone/api
History
Colleen Murphy b100825a03 Move list_roles_for_trust enforcement to policies 
Without this change, policy enforcement for the GET
/OS-TRUST/trusts/{trust_id}/roles API is hardcoded in the flask
dispatcher code. This is a problem because this enforcement can't be
controlled by the operator, as is the norm. Moreover, it makes the
transition to system-scope and default-roles-aware policies more
difficult because there's no sensible migration from "" to a logical
role-based check string.

This converts the hardcoded enforcement to enforcement via default
policies for GET /OS-TRUST/trusts/{trust_id}/roles. The API specifically
blocks the is_admin user from using it, and since policies aren't loaded
for the is_admin user we need to continue explicitly blocking it.

This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.

Change-Id: Ib339852c9d619b8cbf7a00d45da461377991ba6f
Partial-bug: #1818850
Partial-bug: #1818846
 		2019-08-16 15:20:15 -07:00
..
_shared Replace 'tenant_id' with 'project_id' 2019-02-04 16:17:52 +01:00
__init__.py Revert "Add API for /v3/access_rules_config" 2019-05-28 08:38:39 -07:00
auth.py Fix websso auth loop 2019-08-01 12:34:30 -07:00
credentials.py Add cadf auditing to credentials 2019-06-12 13:34:05 -07:00
discovery.py bump Keystone version for Stein 2019-01-22 15:34:06 +13:00
domains.py Allow an explicit_domain_id parameter when creating a domain 2019-04-09 16:29:52 +00:00
ec2tokens.py Make collection_key and member_key raise if unset 2018-10-12 11:18:41 -07:00
endpoints.py Convert auth to flask native dispatching 2018-10-09 23:23:03 -07:00
groups.py Add domain scope support for group policies 2019-03-27 17:15:00 +01:00
limits.py Add domain level limit support - API 2019-02-19 11:09:13 +08:00
os_ep_filter.py Allow to filter endpoint groups by name 2019-07-18 08:57:50 +02:00
os_federation.py Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD 2019-03-28 22:07:01 +00:00
os_inherit.py Add build_target arguement to enforcer 2018-09-28 15:50:44 -05:00
os_oauth1.py Convert auth to flask native dispatching 2018-10-09 23:23:03 -07:00
os_revoke.py Move json_home "extension" rel functions 2018-08-16 20:49:01 +00:00
os_simple_cert.py Fix missing print format and missing ws between words 2019-08-06 08:29:34 +08:00
policy.py Convert policy API to flask 2018-08-31 07:14:32 +00:00
projects.py Implement domain admin functionality for projects 2019-03-20 20:21:33 +00:00
regions.py Convert regions API to flask native dispatching 2018-08-13 20:05:57 +00:00
registered_limits.py Add hint back 2018-09-20 14:58:43 +08:00
role_assignments.py Implement domain reader for role_assignments 2019-03-21 18:49:20 +00:00
role_inferences.py Convert role_inferences API to flask native dispatching 2018-08-13 20:06:35 +00:00
roles.py Merge "Add hint back" 2018-10-03 21:51:14 +00:00
s3tokens.py Convert S3 and EC2 auth to flask native dispatching 2018-10-11 15:27:46 -07:00
services.py Convert services api to flask native dispatching 2018-08-13 20:06:11 +00:00
system.py Add build_target arguement to enforcer 2018-09-28 15:50:44 -05:00
trusts.py Move list_roles_for_trust enforcement to policies 2019-08-16 15:20:15 -07:00
users.py Add domain scope support for group policies 2019-03-27 17:15:00 +01:00