keystone

History

Colleen Murphy ea7acd8036 Implement system reader role for trusts API Currently, the trusts API only allows the "project" scope type, and moreover inconsistently enforces different actions based on admin status or trustor/trustee relationship: for example, an "admin" can list all trusts but not filter by trustor or trustee and cannot get details for a single trust, not can they list or get trust roles. This patch changes the behavior of the trusts API to allow a system reader to list and get details for trusts and trust roles, where previously only a trustor or trustee could do so. This helps make the different actions in the trusts API consistent with one another and makes the API more useful to a deployment auditor. A subsequent patch will add system admin functionality. This change does not use the oslo.policy deprecation feature for the 'identity:list_trusts_for_trustor' or 'identity:list_trusts_for_trustee' policies as those are new policies introduced in `7717ed3`. Change-Id: I4e1482643e18fd46e937ffae8b3623cea2d2dd62 Partial-bug: #1818850 Partial-bug: #1818846 Related-Bug: #968696	2019-08-16 15:20:15 -07:00
..
v3	Implement system reader role for trusts API	2019-08-16 15:20:15 -07:00
__init__.py	Implement scope_type checking for credentials	2018-10-29 15:01:29 +00:00

Colleen Murphy ea7acd8036 Implement system reader role for trusts API

Currently, the trusts API only allows the "project" scope type, and
moreover inconsistently enforces different actions based on admin status
or trustor/trustee relationship: for example, an "admin" can list all
trusts but not filter by trustor or trustee and cannot get details for a
single trust, not can they list or get trust roles. This patch changes
the behavior of the trusts API to allow a system reader to list and get
details for trusts and trust roles, where previously only a trustor or
trustee could do so. This helps make the different actions in the trusts
API consistent with one another and makes the API more useful to a
deployment auditor. A subsequent patch will add system admin
functionality.

This change does not use the oslo.policy deprecation feature for the
'identity:list_trusts_for_trustor' or 'identity:list_trusts_for_trustee'
policies as those are new policies introduced in 7717ed3.

Change-Id: I4e1482643e18fd46e937ffae8b3623cea2d2dd62
Partial-bug: #1818850
Partial-bug: #1818846
Related-Bug: #968696

2019-08-16 15:20:15 -07:00

v3 Implement system reader role for trusts API 2019-08-16 15:20:15 -07:00

__init__.py Implement scope_type checking for credentials 2018-10-29 15:01:29 +00:00