Validate Keystone V3 roles for admin authorization.

cloudwan / gohan

Gohan is an API Gateway Server written by Go that makes it easy for developers to create and maintain REST-style API

http://www.slideshare.net/natiueno/gohan-61170476

Other

109 stars 44 forks source link

Validate Keystone V3 roles for admin authorization. #785

Closed cierpuchaw closed 3 years ago

cierpuchaw commented 3 years ago

Our intention is for admin auth to be allowed to do anything. That's accomplished through the built-in admin_statement policy. Unfortunately if we assign multiple roles to it, it's possible that a policy with "effect: deny" for one of those roles will block some operation, possibly making it impossible to use admin token to revert some changes. This commit rejects such Keystone V3 tokens, effectively forcing a desired configuration of Keystone users and role assignments.

cierpuchaw commented 3 years ago

@yoichi-cloudwan -san a gentle reminder about this PR.

cierpuchaw commented 3 years ago

@yoichi-cloudwan -san a gentle reminder about this PR.