OpenStack Heat

Can't delegate optional roles

Bug #1376562 reported by Kieran Spear
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
huangtianhua
OpenStack Heat 2015.1.0 "kilo"
Juno
Fix Released
High
huangtianhua
OpenStack Heat 2014.2.1

Bug Description

We limit access to services on our cloud based on role, so we have roles like DatabaseUser and PreProdUser.

If I put these roles in CONF.trusts_delegated_roles then everything works fine for users with the role, but any users who don't have access to a particular service can't create any stacks at all.

It seems like we either need to take the intersection of the user's actual roles and trusts_delegated_roles when we create the trust, or have a second config option like trusts_delegated_optional_roles that does that.

This is related to a previous fix that just improved the error message:

https://bugs.launchpad.net/heat/+bug/1306665

Steven Hardy (shardy)
Changed in heat:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Steven Hardy (shardy)
milestone: none → kilo-1
Revision history for this message
Steven Hardy (shardy) wrote :

Thanks for the report - this is related to https://review.openstack.org/#/c/119415/ and bug #1306665 as you mention.

Really, the problem is that the arbitrary "heat_stack_owner" role doesn't mean anything (it's a placeholder really), and we've got no way of knowing ahead of time what roles the user will actually have (or require to create the stack).

So it seems like we've got two options:

1. Always delegate all roles the user has (or more accurately the roles we see in the context, based on the scope of the token passed to heat, so it will always be all the roles the user has been assigned in the project the token is scoped to)

2. Allow an intersection where we only delegate a subset based on the content of trusts_delegated_roles

Given that https://bugs.launchpad.net/keystone/+bug/1366133 has been marked wont-fix, I'm leaning towards (1) by default (with trusts_delegated_roles changing default to None) - this still allows folks to specify a fixed list of required roles if necessary (e.g the existing behaviour is maintained if people require it)

Would that be an acceptable solution for your environment?

huangtianhua (huangtianhua)
Changed in heat:
assignee: Steven Hardy (shardy) → huangtianhua (huangtianhua)
OpenStack Infra (hudson-openstack)
Changed in heat:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/128509
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=aab01c00ff330d743fc15e97d7ae144eac5015bb
Submitter: Jenkins
Branch: master

commit aab01c00ff330d743fc15e97d7ae144eac5015bb
Author: huangtianhua <email address hidden>
Date: Wed Oct 15 11:41:45 2014 +0800

    Inherit roles for create_trust_context()

    This change the default value of the option
    'trusts_delegated_roles' to []. And delegate all of
    the trustor roles when create the trust unless
    user set the option to subset roles.

    Change-Id: I3f1b70b78b91bfac9af5fadb71140679b208c999
    Closes-bug: #1376562

Changed in heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/130104

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/juno)

Reviewed: https://review.openstack.org/130104
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=e6c1292b78a0eb3937bbf59e9202688e3c784a54
Submitter: Jenkins
Branch: stable/juno

commit e6c1292b78a0eb3937bbf59e9202688e3c784a54
Author: huangtianhua <email address hidden>
Date: Wed Oct 15 11:41:45 2014 +0800

    Inherit roles for create_trust_context()

    For the stable/juno backport, the default value of
    trusts_delegated_roles is left unchanged, so deployers
    will see no change on upgrade, unless they explicitly
    choose to update their heat.conf. Note that previously
    an empty list caused an error (it's invalid to
    delegate zero roles via a trust), so this is not a change
    of behaviour of a previously working configuration.

    Change-Id: I3f1b70b78b91bfac9af5fadb71140679b208c999
    Closes-bug: #1376562
    (cherry picked from commit aab01c00ff330d743fc15e97d7ae144eac5015bb)

Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.