OpenStack Identity (keystone)

The v3 users API should account for different scopes

Bug #1748027 reported by Lance Bragstad on 2018-02-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad	OpenStack Identity (keystone) stein-rc2

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [1].

The following acceptance criteria describes how the v3 users API should behave with tokens from multiple scopes:

GET /v3/users/{user_id}

- Someone with a system role assignment that passes the check string should be able to call this API for any user in the system
- Someone with a domain role assignment that passes the check string should be able to call this API for any user within the domain
- Someone with a valid token should be able to call this API for their user

GET /v3/users

- Someone with a system role assignment that passes the check string should be able to call this API and get a list of all users in the system
- Someone with a domain role assignment that passes the check string should be able to call this API and get a list of all users within that domain

POST /v3/users

- Someone with a system role assignment that passes the check string should be able to create users anywhere in the system
- Someone with a domain role assignment that passes the check string should only be able to create users within their domain
- Someone with a project role assignment that passes the check string shouldn't be able to create users since users are domain-scoped entities.

PATCH /v3/users/{user_id}

- Someone with a system role assignment that passes the check string should be able to update any user in the system
- Someone with a domain role assignment that passes the check string should only be able to update users within their domain, this should also include rejecting requests to update domain IDs for users that doesn't match the domain they are a part of
- Someone with a project role assignment that passes the check string shouldn't be able to update users since users are domain-scoped.

[0] https://review.openstack.org/#/c/526203/
[1] https://review.openstack.org/#/c/526203/5/keystone/common/policies/user.py@21

See original description

Tags:

Lance Bragstad (lbragstad) on 2018-02-07

tags:	added: policy
description:	updated

Lance Bragstad (lbragstad) on 2018-02-11

Changed in keystone:
importance:	Undecided → High
status:	New → Triaged

sonu (sonu-bhumca11) on 2018-04-04

Changed in keystone:
assignee:	nobody → sonu (sonu-bhumca11)

Colleen Murphy (krinkle) on 2018-09-19

tags:

added: system-scope

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-16: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/611179

Changed in keystone:
assignee:	sonu (sonu-bhumca11) → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-06:

Fix proposed to branch: master
Review: https://review.openstack.org/623322

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-17: Change abandoned on keystone (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/611179
Reason: This has been broken into a more reviewable series, starting here [0].

[0] https://review.openstack.org/#/c/605485/15

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/605485
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=40d3458fcb29df1daefce9455d1778e800cac378
Submitter: Zuul
Branch: master

commit 40d3458fcb29df1daefce9455d1778e800cac378
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:39:56 2018 +0000

Implement system reader role for users

    This commit introduces the system reader role to the users API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own user reference.

Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I9c362e515772540dfa93d05781d955009b9a154d
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06:

Reviewed: https://review.openstack.org/623317
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f724f2d9387dc83148dada41a0f9acb294026c2
Submitter: Zuul
Branch: master

commit 4f724f2d9387dc83148dada41a0f9acb294026c2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:48:36 2018 +0000

Implement system member role user test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable user
    operations.

Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06:

Reviewed: https://review.openstack.org/623318
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Submitter: Zuul
Branch: master

commit 29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:59:36 2018 +0000

Implement system admin role in users API

This commit introduces the system admin role to the users API,
making it consistent with other system-admin policy definitions.

Subsequent patches will build on this work to expose more
functionality to domain and project users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
    Closes-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21:

Reviewed: https://review.openstack.org/623319
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bc217b316e13942cb7f4fc742be988d27bd32aa2
Submitter: Zuul
Branch: master

commit bc217b316e13942cb7f4fc742be988d27bd32aa2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21:

Reviewed: https://review.openstack.org/623320
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9ca599e50610fadc60e1b05c1af37044916575c5
Submitter: Zuul
Branch: master

commit 9ca599e50610fadc60e1b05c1af37044916575c5
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

Subsequent patches will continue to build on this by incorporating:

- domain admin functionality
- project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-22:

Reviewed: https://review.openstack.org/623321
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf1ce4eb36393cedadb2de2aeba8140c65e09775
Submitter: Zuul
Branch: master

commit cf1ce4eb36393cedadb2de2aeba8140c65e09775
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

Implement domain admin functionality for user API

    This commit add explicit testing to show how users with the admin role
    on a domain can manage users within thier domain. It also modifies the
    default policies to account for this functionality. A subsequent patch
    will do the same for project users.

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-23:

#10

Reviewed: https://review.openstack.org/623322
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9e07a940dc6d197709f5a66c8e4ff203d388da1
Submitter: Zuul
Branch: master

commit f9e07a940dc6d197709f5a66c8e4ff203d388da1
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

Add explicit testing for project users and the user API

    This commit wraps up the user API policy refactor by adding explicit
    testing for how project users are expected to behave with the user
    API. A subsequent patch set will remove the now obsolete user policies
    in policy.v3cloudsample.json.

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-03-24

Changed in keystone:
milestone:	none → stein-rc2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-25: Fix proposed to keystone (stable/stein)

#11

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647548

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-25:

#12

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647549

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-25:

#13

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647550

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-25:

#14

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647551

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26: Fix merged to keystone (stable/stein)

#15

Reviewed: https://review.openstack.org/647548
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=69868c6bfdeca737ea7c48057beb3b657e14091b
Submitter: Zuul
Branch: stable/stein

commit 69868c6bfdeca737ea7c48057beb3b657e14091b
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit bc217b316e13942cb7f4fc742be988d27bd32aa2)

tags:

added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26:

#16

Reviewed: https://review.openstack.org/647549
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd6da4cd459d330dc2feb017c470da321604784a
Submitter: Zuul
Branch: stable/stein

commit dd6da4cd459d330dc2feb017c470da321604784a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

Subsequent patches will continue to build on this by incorporating:

- domain admin functionality
- project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit 9ca599e50610fadc60e1b05c1af37044916575c5)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26:

#17

Reviewed: https://review.openstack.org/647550
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Submitter: Zuul
Branch: stable/stein

commit a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

Implement domain admin functionality for user API

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit cf1ce4eb36393cedadb2de2aeba8140c65e09775)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26:

#18

Reviewed: https://review.openstack.org/647551
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Submitter: Zuul
Branch: stable/stein

commit 8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

Add explicit testing for project users and the user API

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696
    (cherry picked from commit f9e07a940dc6d197709f5a66c8e4ff203d388da1)