OpenStack + Chef

[identity] Need to create standard "service" role

Bug #1436050 reported by Mark Vanderwiel on 2015-03-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	High	Mark Vanderwiel	OpenStack + Chef kilo-rc1

Bug Description

The kilo keystone policy.json file has two roles in it, admin and service.
https://github.com/openstack/keystone/blob/master/etc/policy.json#L3

The current identity cookbook only creates the admin one. (Note it also creates a KeystoneAdmin and KeystoneServiceAdmin
https://github.com/stackforge/cookbook-openstack-identity/blob/master/attributes/default.rb#L117 which are no longer used and should be removed.)

Two actions to fix this issue:

1. In identity cookbook, change the roles to have the "service" role created
2. In all the other cookbooks that create a "service" user, have that user use the new "service" role instead of admin.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-identity (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167390

Changed in openstack-chef:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-bare-metal (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167391

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-block-storage (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167393

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-compute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167394

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-database (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167396

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-image (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167397

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-network (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167398

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-object-storage (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167399

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-orchestration (master)

Fix proposed to branch: master
Review: https://review.openstack.org/167400

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix proposed to cookbook-openstack-telemetry (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/167401

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-04: Fix merged to cookbook-openstack-identity (master)

#11

Reviewed: https://review.openstack.org/167390
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-identity/commit/?id=c723f0ecd9c676886b2708d94b088cda900f2ae0
Submitter: Jenkins
Branch: master

commit c723f0ecd9c676886b2708d94b088cda900f2ae0
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:30:26 2015 -0500

Create "service" role and cleanup unused roles

    Only the "admin" and "service" roles are used in the latest default
    keystone policy file.
    Remove the unused roles, Keytone, KeystoneServiceAdmin

In the other cookbooks that create a "service" user, change that
to use the new "service" role instead of "admin"

Change-Id: I5a77db41b114b6de99ba6923402429cfb1af5130
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-database (master)

#12

Reviewed: https://review.openstack.org/167396
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-database/commit/?id=c1a99e40a8cf8be54077a02487bb1ef895546ff5
Submitter: Jenkins
Branch: master

commit c1a99e40a8cf8be54077a02487bb1ef895546ff5
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:41:43 2015 -0500

Use new "service" role instead of "admin"

Change-Id: Ifc50b807d4a03061a4795b703dd3aff798a0e665
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-orchestration (master)

#13

Reviewed: https://review.openstack.org/167400
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-orchestration/commit/?id=c8f98f065548f99e3a37df8422682e8a9dd4d2a9
Submitter: Jenkins
Branch: master

commit c8f98f065548f99e3a37df8422682e8a9dd4d2a9
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:48:04 2015 -0500

Use new "service" role instead of "admin"

Partial-Bug: #1436050

Change-Id: Ib2d20e95ad44a61f6d68ecd0726b9f29cc0bc595

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-image (master)

#14

Reviewed: https://review.openstack.org/167397
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-image/commit/?id=3c5947030ffffb1bfff4193a88a45fbbc8309839
Submitter: Jenkins
Branch: master

commit 3c5947030ffffb1bfff4193a88a45fbbc8309839
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:43:22 2015 -0500

Use new "service" role instead of "admin"

Change-Id: I32508a10eb452f722e0111399e1c02dbc8c71346
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-object-storage (master)

#15

Reviewed: https://review.openstack.org/167399
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-object-storage/commit/?id=bdc7ee1db95271ebd560ae7ccf75965cfda2f2d0
Submitter: Jenkins
Branch: master

commit bdc7ee1db95271ebd560ae7ccf75965cfda2f2d0
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:46:29 2015 -0500

Use new "service" role instead of "admin"

Change-Id: I3169d7600074ddc26899eabc8bb40744fc385233
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-compute (master)

#16

Reviewed: https://review.openstack.org/167394
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-compute/commit/?id=dd488e787b6d5e2bf1abf92b8e71443b7baadc6c
Submitter: Jenkins
Branch: master

commit dd488e787b6d5e2bf1abf92b8e71443b7baadc6c
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:40:03 2015 -0500

Use new "service" role instead of "admin"

Change-Id: Idc6a826f15f60f0f6c5de2a3cbb3f7ed21122fae
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-network (master)

#17

Reviewed: https://review.openstack.org/167398
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-network/commit/?id=c80a7b3045e1a1fbf5936c8427a65e034b5ca410
Submitter: Jenkins
Branch: master

commit c80a7b3045e1a1fbf5936c8427a65e034b5ca410
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:45:15 2015 -0500

Use new "service" role instead of "admin"

Change-Id: I410f260b6d522b8d28817f91f6103ab989859b0e
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-block-storage (master)

#18

Reviewed: https://review.openstack.org/167393
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-block-storage/commit/?id=f7c3a8cc111a267a7e958c243bf688728b1ed974
Submitter: Jenkins
Branch: master

commit f7c3a8cc111a267a7e958c243bf688728b1ed974
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:37:52 2015 -0500

Use new "service" role instead of "admin"

Change-Id: Id0f0b1e5b7caba3666715bdae487f4de26ac26a9
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix merged to cookbook-openstack-telemetry (master)

#19

Reviewed: https://review.openstack.org/167401
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-telemetry/commit/?id=5388baa0a1a49967958d41e3f01030b8d7e39d7e
Submitter: Jenkins
Branch: master

commit 5388baa0a1a49967958d41e3f01030b8d7e39d7e
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:49:13 2015 -0500

Use new "service" role instead of "admin"

Change-Id: I1c9067884145da5f607085f9ffef754e4d342a35
Partial-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-07: Related fix proposed to cookbook-openstack-image (master)

#20

Related fix proposed to branch: master
Review: https://review.openstack.org/171330

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-09: Related fix merged to cookbook-openstack-image (master)

#21

Reviewed: https://review.openstack.org/171330
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-image/commit/?id=1600d6a14d1b628d19e7494019d50e01488acd5d
Submitter: Jenkins
Branch: master

commit 1600d6a14d1b628d19e7494019d50e01488acd5d
Author: Mark Vanderwiel <email address hidden>
Date: Tue Apr 7 13:51:22 2015 -0500

Only admin can create public glance images

    With change to use the correct "service" role for service users,
    they can no longer create public images.
    For this recipe, need to use admin for public images.

    Added a public flag to the lwrp such that other non-admin
    accounts can create images. Made a note in the client cookbook
    patch that this support needs to be merged in there.

    Change-Id: I99e2febfdbf6f4bab260d897216f4ae768cf3315
    Related-Bug: #1436050
    Closes-Bug: #1441292

Revision history for this message

Ma Wen Cheng (mars914) wrote on 2015-04-14:

#22

@Mark, all the access is also "admin" role, looks like that the "service" role has no permission.
If use "service" role, it will come up with :
ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-502a4465-c613-4482-a9f2-4b35ce30bf4c)

https://github.com/openstack/keystone/blob/master/etc/policy.json#L10

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2015-04-14:

#23

Mars, not sure I understand your commend. What task are you trying to do with the service role? Most of them should now be using the admin role for identity changes.

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2015-04-14:

#24

See https://github.com/openstack/keystone/blob/master/etc/policy.json#L92 for the identity uses for the service role, basically validate tokens.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-16: Related fix proposed to cookbook-openstack-compute (master)

#25

Related fix proposed to branch: master
Review: https://review.openstack.org/174586

Revision history for this message

Ma Wen Cheng (mars914) wrote on 2015-04-17:

#26

Mark, I mean we also need to make sure that the "service" role has the right rule in keystone policy.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-17: Related fix merged to cookbook-openstack-compute (master)

#27

Reviewed: https://review.openstack.org/174586
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-compute/commit/?id=a4070598882babb4ad6e8f4c16332dd3ecc00692
Submitter: Jenkins
Branch: master

commit a4070598882babb4ad6e8f4c16332dd3ecc00692
Author: Mark Vanderwiel <email address hidden>
Date: Thu Apr 16 15:17:45 2015 -0500

Revert using service role for nova user

    Looks like nova still needs admin role to work. This is probably
    a security bug against nova, but that's being debated. So, in the
    mean time, need to revert this back to using admin role.

Change-Id: If8b58516032f2eb5f9782189744f22abc4ab40b5
Related-Bug: #1436050

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-18: Fix merged to cookbook-openstack-bare-metal (master)

#28

Reviewed: https://review.openstack.org/167391
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-bare-metal/commit/?id=de410e11fb3d0cc3f894609733e6be56d2b81bab
Submitter: Jenkins
Branch: master

commit de410e11fb3d0cc3f894609733e6be56d2b81bab
Author: Mark Vanderwiel <email address hidden>
Date: Tue Mar 24 15:35:12 2015 -0500

Use new "service" role instead of "admin"

Change-Id: I885750d36a242dcdbf0451de241d79d98eb6d38a
Partial-Bug: #1436050

Mark Vanderwiel (vanderwl) on 2015-04-18

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-20: Related fix merged to cookbook-openstack-network (master)

#29

Reviewed: https://review.openstack.org/175252
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-network/commit/?id=14cd028b8bd613103c61b6d660e2dcb92b5bf48d
Submitter: Jenkins
Branch: master

commit 14cd028b8bd613103c61b6d660e2dcb92b5bf48d
Author: ZHU ZHU <email address hidden>
Date: Sun Apr 19 21:55:21 2015 -0500

Revert neutron with admin role

    Looks neutron still require admin to work. With neutron policy,
    the port binding for VM require admin permission.
    https://github.com/openstack/neutron/blob/master/etc/policy.json#L53

A bug is opened against neutron.
https://bugs.launchpad.net/neutron/+bug/1445475

Until it is changed by neutron, cookbook need to revert it back to
using admin role.

Related-Bug: #1436050

Change-Id: I8342f7da783c2fc7bb42488b6d461851f66b2228

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.