diff options
author | Matthew Edmonds <edmondsw@us.ibm.com> | 2017-07-10 09:20:18 -0400 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2017-07-20 18:25:30 +0000 |
commit | bd49c3ef6daa474e9c84c0d8721c0f6812ee3d2c (patch) | |
tree | 1bb447b68c60bc9b56ba1c74fb03ef5f1b931156 | |
parent | c1a8abb9f813b4c81151a9247e16ef069a8ae538 (diff) | |
download | keystone-stable/newton.tar.gz |
fix identity:get_identity_providers typonewton-eol10.0.3stable/newton
Changes identity:get_identity_providers policy rule to
identity:get_identity_provider to match what is checked by the code.
Conflicts:
keystone/common/policies/identity_provider.py
There was a conflict backporting this change since the policy-in-code
work in new in Pike. The conflict was resolved by removing the
policy-in-code change and making it manually against the old
etc/policy.json file.
Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
Closes-Bug: #1703369
(cherry picked from commit b7119637a04d0a07fa6419a407f433c01bbd1db2)
(cherry picked from commit 8038f545daa31354e08a4063209295439005c0b8)
-rw-r--r-- | doc/source/policy_mapping.rst | 2 | ||||
-rw-r--r-- | etc/policy.json | 2 | ||||
-rw-r--r-- | etc/policy.v3cloudsample.json | 2 | ||||
-rw-r--r-- | releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml | 11 |
4 files changed, 14 insertions, 3 deletions
diff --git a/doc/source/policy_mapping.rst b/doc/source/policy_mapping.rst index 71f87fd5a..98570896d 100644 --- a/doc/source/policy_mapping.rst +++ b/doc/source/policy_mapping.rst @@ -146,7 +146,7 @@ identity:remove_endpoint_group_from_project DELETE /v3/OS-EP-FILT identity:create_identity_provider PUT /v3/OS-FEDERATION/identity_providers/{idp_id} identity:list_identity_providers GET /v3/OS-FEDERATION/identity_providers -identity:get_identity_providers GET /v3/OS-FEDERATION/identity_providers/{idp_id} +identity:get_identity_provider GET /v3/OS-FEDERATION/identity_providers/{idp_id} identity:update_identity_provider PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} identity:delete_identity_provider DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} diff --git a/etc/policy.json b/etc/policy.json index 1e37bef06..8cde9edb0 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -147,7 +147,7 @@ "identity:create_identity_provider": "rule:admin_required", "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", + "identity:get_identity_provider": "rule:admin_required", "identity:update_identity_provider": "rule:admin_required", "identity:delete_identity_provider": "rule:admin_required", diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 2facd2190..815aa9072 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -172,7 +172,7 @@ "identity:create_identity_provider": "rule:cloud_admin", "identity:list_identity_providers": "rule:cloud_admin", - "identity:get_identity_providers": "rule:cloud_admin", + "identity:get_identity_provider": "rule:cloud_admin", "identity:update_identity_provider": "rule:cloud_admin", "identity:delete_identity_provider": "rule:cloud_admin", diff --git a/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml new file mode 100644 index 000000000..2d93d16ec --- /dev/null +++ b/releasenotes/notes/bug-1703369-9a901d627a1e0316.yaml @@ -0,0 +1,11 @@ +--- +security: + - | + [`bug 1703369 <https://bugs.launchpad.net/keystone/+bug/1703369>`_] + There was a typo for the identity:get_identity_provider rule in the + default ``policy.json`` file in previous releases. The default value for + that rule was the same as the default value for the default rule + (restricted to admin) so this typo was not readily apparent. Anyone + customizing this rule should review their settings and confirm that + they did not copy that typo. More context regarding the purpose of this + backport can be found in the bug report. |