Can't delegate optional roles
Bug #1376562 reported by
Kieran Spear
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
huangtianhua | ||
Juno |
Fix Released
|
High
|
huangtianhua |
Bug Description
We limit access to services on our cloud based on role, so we have roles like DatabaseUser and PreProdUser.
If I put these roles in CONF.trusts_
It seems like we either need to take the intersection of the user's actual roles and trusts_
This is related to a previous fix that just improved the error message:
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Steven Hardy (shardy) |
milestone: | none → kilo-1 |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → huangtianhua (huangtianhua) |
Changed in heat: | |
status: | Triaged → In Progress |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
Thanks for the report - this is related to https:/ /review. openstack. org/#/c/ 119415/ and bug #1306665 as you mention.
Really, the problem is that the arbitrary "heat_stack_owner" role doesn't mean anything (it's a placeholder really), and we've got no way of knowing ahead of time what roles the user will actually have (or require to create the stack).
So it seems like we've got two options:
1. Always delegate all roles the user has (or more accurately the roles we see in the context, based on the scope of the token passed to heat, so it will always be all the roles the user has been assigned in the project the token is scoped to)
2. Allow an intersection where we only delegate a subset based on the content of trusts_ delegated_ roles
Given that https:/ /bugs.launchpad .net/keystone/ +bug/1366133 has been marked wont-fix, I'm leaning towards (1) by default (with trusts_ delegated_ roles changing default to None) - this still allows folks to specify a fixed list of required roles if necessary (e.g the existing behaviour is maintained if people require it)
Would that be an acceptable solution for your environment?