access rules path checker should distinguish UUID-like srings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystonemiddleware |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Please consider it as a feature request.
in the access rules path definition, {tag} or * means any string w/o slashes - which complicates restricting the access in some circumstances due to how some OpenStack APIs are structured.
Example:
I want to create app creds that will only allow GET on a any specific server by ID - GET /servers/{uuid}, and nothing more.
However, in Nova there's this API call GET /servers/detail - which is a list of all servers with details, and it also matches the /servers/{uuid} path in access rules.
There could be more examples like this across all OpenStack APIs.
I would envision that there should be a special tag like literally {uuid} that would only match uuid-like substrings and not anything else, somewhere around these parts https:/
Changed in keystonemiddleware: | |
status: | New → Confirmed |
importance: | Undecided → Medium |