OpenStack Identity (keystone)

The v3 project API should account for different scopes

Bug #1750660 reported by Lance Bragstad
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-rc2

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 project API should behave with tokens from multiple scopes. WARNING: It also assumes that project tags are accessible to anyone with authorization to the project. If system administrators, or operators, intend to tag projects for administrative use (e.g. billing tags for accounting purposes), those tags will be accessible to users with access to the project:

GET /v3/projects/{project_id}

- Someone with a system role assignment that passes the check string should be able to get any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to get any project within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should be able to get the project or any child project of the project they have a role assignment on (project-scoped)

GET /v3/projects

- Someone with a system role assignment that passes the check string should be able to list all projects in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should be able to list all child projects of the project they administer (project-scoped)?

GET /v3/users/{user_id}/projects

- Someone with a system role assignment that passes the check string should be able to list all projects for any user in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list projects for a user within the domain they administer, the response will only include projects in the domain they administer (domain-scoped)

POST /v3/projects

- Someone with a system role assignment that passes the check string should be able to create projects anywhere in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to create projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to create child projects of the project they administer (project-scoped)

PATCH /v3/projects/{project_id}

- Someone with a system role assignment that passes the check string should be able to update any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to update projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to update projects they administer or child projects of the ones they administer (project-scoped)?

DELETE /v3/projects/{project_id}

- Someone with a system role assignment that passes the check string should be able to delete any project in the deployment
- Someone with a domain role assignment that passes the check string should only be able to delete a project within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to delete a child project of the project they administer (project-scoped)?

GET /v3/projects/{project_id}/tags

- Someone with a system role assignment that passes the check string should be able to list tags for any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to list tags for a project within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should be able to list project tags associated to the project they have authorization on (project-scoped)

GET /v3/projects/{project_id}/tags/{value}

- Someone with a system role assignment that passes the check string should be able to get a project tag for any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to get a project tag for a project within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to get tags for a project, or a child project, they have authorization on.

PUT /v3/projects/{project_id}/tags

- Someone with a system role assignment that passes the check string should be able to up tags for any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to update tags for projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to update the tags for the project they administer, or children of that project (project-scoped)

PUT /v3/projects/{project_id}/tags/{value}

- Someone with a system role assignment that passes the check string should be able to tag any project in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to tag projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to tag the project they have authorization on or children of that project (project-scoped)

DELETE /v3/projects/{project_id}/tags
DELETE /v3/projects/{project_id}/tags/{value}
- Someone with a system role assignment that passes the check string should be able to delete tags from any project in the deployment
- Someone with a domain role assignment that passes the check string should only be able to delete tags from projects within the domain they administer (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to delete tags from the project they have authorization on or children of that project (project-scoped)

[0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/project.py

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/551337

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/551411

Dennis Ahuja (dennis.ahuja)
Changed in keystone:
status: Triaged → Confirmed
status: Confirmed → In Progress
status: In Progress → Fix Released
Colleen Murphy (krinkle)
Changed in keystone:
status: Fix Released → Triaged
Colleen Murphy (krinkle)
tags: added: system-scope
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/610178

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/624215

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/624216

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/624217

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/624218

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/624219

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/624220

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/624221

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/624215
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Submitter: Zuul
Branch: master

commit b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:18:42 2018 +0000

    Implement system reader role for projects

    This commit introduces the system reader role to the project API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I089ada1e314688e60f9041095138bc53cd465fa0
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/624216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6037ac58de0fe599df9220a068e1ef054194187a
Submitter: Zuul
Branch: master

commit 6037ac58de0fe599df9220a068e1ef054194187a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:45:25 2018 +0000

    Implement system member role project test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable project
    operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I69ff308ea528d54e0db8e475d047e3dbf356ed2f
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/624217
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=718d122fe1595d59b4eab99c3a744bfe34941369
Submitter: Zuul
Branch: master

commit 718d122fe1595d59b4eab99c3a744bfe34941369
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 20:48:11 2019 +0000

    Implement system admin role in project API

    This commit introduces the system admin role to the projects API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: Iceed65d34a8a7cff8841000d7703b1a48e95bb24
    Closes-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/551337
Reason: This was superseded by:

https://review.openstack.org/#/c/624215/5
https://review.openstack.org/#/c/624216/4
https://review.openstack.org/#/c/624217/4

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/551411
Reason: This is being pursued by:

https://review.openstack.org/#/c/624218/6
https://review.openstack.org/#/c/624219/5
https://review.openstack.org/#/c/624220/4

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/610178
Reason: This should be taken care of with the series starting at this patch: https://review.openstack.org/#/c/623319/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/624221
Reason: Abandoning this patch since most of the work done here was pulled forward to the system-reader patch.

https://review.openstack.org/#/c/624215/5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/624218
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=65165e7e8b8cb9a18e5815a51ab75f0328d8eab4
Submitter: Zuul
Branch: master

commit 65165e7e8b8cb9a18e5815a51ab75f0328d8eab4
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 20:49:32 2018 +0000

    Implement domain reader functionality for projects

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with projects both inside and outside of
    the domain they have authorization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Depends-On: https://review.openstack.org/#/c/642102/
    Depends-On: https://review.openstack.org/#/c/624794/
    Change-Id: I28db6b9bdb16a1ecdacdc2b9ecbb8674ef4d8fe4
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/624219
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=04dc72a908ce829d7aaf4c62f12d7cd2215812d5
Submitter: Zuul
Branch: master

commit 04dc72a908ce829d7aaf4c62f12d7cd2215812d5
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 22:43:57 2019 +0000

    Implement domain member functionality for projects

    This commit adds explicit testing for how users with the member role
    on a domain should interact with projects both inside and outside of
    the domain they have authorization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: Ic0fe47b7a578270ef4a5e579ac64db63337956c6
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/624220
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=09663a01a4eda4332e55637a120019e1784b967e
Submitter: Zuul
Branch: master

commit 09663a01a4eda4332e55637a120019e1784b967e
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000

    Implement domain admin functionality for projects

    This commit add explicit testing to show how users with the admin role
    on a domain can manage projects within their domain. It also modifies
    the default policies to account for this functionality. A subsequent
    patch will do the same for project users.

    Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676
    Closes-Bug: 1750660
    Related-Bug: 1806762

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle)
Changed in keystone:
milestone: none → stein-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647552

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.openstack.org/647552
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=24c875fe76474e3194100f138311a151aa2e6b6d
Submitter: Zuul
Branch: stable/stein

commit 24c875fe76474e3194100f138311a151aa2e6b6d
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000

    Implement domain admin functionality for projects

    This commit add explicit testing to show how users with the admin role
    on a domain can manage projects within their domain. It also modifies
    the default policies to account for this functionality. A subsequent
    patch will do the same for project users.

    Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676
    Closes-Bug: 1750660
    Related-Bug: 1806762
    (cherry picked from commit 09663a01a4eda4332e55637a120019e1784b967e)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc2

This issue was fixed in the openstack/keystone 15.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Revision history for this message
Linda Guo (lihuiguo) wrote (last edit ):

Hi

A user with admin role on domain can not list project. This was reported by bug 1732502 and it's duplicated to this bug.

I am using keystone 20.0.0. I am still seeing the issue in this version

$openstack role assignment list --names --user test-user
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| member | test-user@admin_domain | | test-project@admin_domain | | | False |
| Admin | test-user@admin_domain | | | admin_domain | | False |
 +--------+------------------------+-------+---------------------------+--------------+--------+-----------+

$ openstack quota list --network
You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-8df105a6-6d60-426b-bae3-4ce982aef9d3)

$ openstack project list --domain admin_domain
You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-48515624-898f-4395-b209-d521f27df2ed)

# keystone-manage --version
20.0.0
# dpkg -l |grep keystone
ii keystone 2:20.0.0-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:20.0.0-0ubuntu1~cloud0 all OpenStack identity service - Common files

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.