OpenStack Identity (keystone)

The v3 role assignment API should account for different scopes

Bug #1750673 reported by Lance Bragstad
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-rc2

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 role assignment API should behave with tokens from multiple scopes.

GET /v3/role_assignments

- Someone with a system role assignment that passes the check string should be able to list role assignments for any combination of entities in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to list role assignment for users and group in the domain they administer, or projects within that domain (domain-scoped)
- Someone with a project role assignment that passes the check string should only be able to list role assignments for users and groups that have assignments on the project they administer (project-scoped)

[0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/role_assignment.py#L21-L28

Colleen Murphy (krinkle)
tags: added: system-scope
Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609210

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/638309

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/638310

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/638311

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/639718

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/609210
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ca835d913d3fcb136841a1cabc1181c93dc6d12e
Submitter: Zuul
Branch: master

commit ca835d913d3fcb136841a1cabc1181c93dc6d12e
Author: Vishakha Agarwal <email address hidden>
Date: Wed Oct 10 10:55:04 2018 +0530

    Implement system reader for role_assignments

    This change adds tests cases for the default roles
    keystone supports at install time. It also modifies
    the policies for the role_assignments API to be more
    self-service by properly checking for various scopes.

    Subsequent patches will:

      - add test coverage for system members
      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Co-Authored-By: Lance Bragstad <email address hidden>

    Change-Id: I671eec8544f7361c895c19e6785d38993707854e
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638309
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=63c6e6c3974feca80a1ee278df4b18351c18d093
Submitter: Zuul
Branch: master

commit 63c6e6c3974feca80a1ee278df4b18351c18d093
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 20 18:08:40 2019 +0000

    Reorganize role assignment tests for system users

    The GET /v3/role_assignments API is a read-only API, making the
    behavior for all system users the same. They should all be able to
    list and filter role assignments for the entire deployment.

    This commit moves the existing system reader tests into a common class
    that can be reused by other test classes for system members and system
    administrators.

    Subsequent patches will:

      - add test coverage for system members
      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: Ic9b1ad3306bb272d3e24a00009014df16b36a65d
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638310
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b35fb58ea5bd722ba5a0fe415a217b10a9041727
Submitter: Zuul
Branch: master

commit b35fb58ea5bd722ba5a0fe415a217b10a9041727
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 20 18:19:05 2019 +0000

    Add role assignment test coverage for system members

    This commit adds role assignment test coverage for users who have the
    member role assigned on the system.

    Subsequent patches will:

      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: Ie5333bf61a704d4167004457ec1d9b19b4bb01e8
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638311
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=321a8cb035ed2b8035b3f3d69eb9ce30b2d15620
Submitter: Zuul
Branch: master

commit 321a8cb035ed2b8035b3f3d69eb9ce30b2d15620
Author: Lance Bragstad <email address hidden>
Date: Thu Feb 21 01:07:40 2019 +0000

    Add role assignment test coverage for system admin

    This commit adds role assignment test coverage for users who have the
    admin role assigned on the system.

    Subsequent patches will:

      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: If0d418a7117623b3bfe11b8e23781d02ac1debf0
    Partial-Bug: 1750673
    Closes-Bug: 1816833

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638587
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=425d48ec0aa44b46c628d8c238bcf97f315d0f05
Submitter: Zuul
Branch: master

commit 425d48ec0aa44b46c628d8c238bcf97f315d0f05
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 00:51:40 2019 +0530

    Implement domain reader for role_assignments

    This change adds tests cases for the default roles
    keystone supports at install time. It also modifies
    the policies for the role_assignments API to be more
    self-service by properly checking for scopes if accessed
    with a domain-scoped tokens. This gives domain users the
    power to query role assignments within the domain they
    have authorization on without exposing other assignment
    information in the deployment, domains, or projects.

    Subsequent patches will:

      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Co-Authored-By: Lance Bragstad <email address hidden>

    Partial-Bug: 1750673
    Change-Id: I0c6d202a315d4683e2589f0d9121e93c97fb13e4

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638593
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=269a2890a9cccf1e5c0e5fd8d7f8c60758c8ff8f
Submitter: Zuul
Branch: master

commit 269a2890a9cccf1e5c0e5fd8d7f8c60758c8ff8f
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 01:43:32 2019 +0530

    Add role assignment test coverage for domain members

    This commit adds role assignment test coverage for
    users who have the member role assigned on the domain.

    Subsequent patches will:

    - add functionality for domain admins
    - add functionality for project readers
    - add functionality for project members
    - add functionality for project admins
    - remove the obsolete policies from policy.v3cloudsample.json

    Partial-Bug: 1750673
    Change-Id: I13fd19fb1d38ba43a22505e3fdbf552fddc949dd

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638597
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=25f86d4e29ba085355554000dbf4dd949be37d7d
Submitter: Zuul
Branch: master

commit 25f86d4e29ba085355554000dbf4dd949be37d7d
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 01:56:22 2019 +0530

    Add role assignment test coverage for domain admins

    This commit adds role assignment test coverage for users
    who have the admin role assigned on the domain.

    Subsequent patches will:

    - add functionality for project readers
    - add functionality for project members
    - add functionality for project admins
    - remove the obsolete policies from policy.v3cloudsample.json

    Partial-Bug: 1750673
    Change-Id: I6f2231b549650d7e92920d1a67bc41eda5ab8db0

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647558

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647559

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647560

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647588

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/639718
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=954b97666937b8ef14fd1510636af4d8e456e918
Submitter: Zuul
Branch: master

commit 954b97666937b8ef14fd1510636af4d8e456e918
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 27 15:47:58 2019 +0000

    Add role assignment testing for project users

    This commit adds some scaffolding for testing how user with project
    role assignments should behave with the role assignment API.

    Co-Authored-By: Vishakha Agarwal <email address hidden>
    Closes-Bug: 1750673
    Change-Id: Iec99b5d6b3aa3015d4410ce94fedc646bc4d6f74

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle)
Changed in keystone:
milestone: none → stein-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.openstack.org/647558
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c56611ff58cc732a021dd28cd252a0a87ee3aaa6
Submitter: Zuul
Branch: stable/stein

commit c56611ff58cc732a021dd28cd252a0a87ee3aaa6
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 00:51:40 2019 +0530

    Implement domain reader for role_assignments

    This change adds tests cases for the default roles
    keystone supports at install time. It also modifies
    the policies for the role_assignments API to be more
    self-service by properly checking for scopes if accessed
    with a domain-scoped tokens. This gives domain users the
    power to query role assignments within the domain they
    have authorization on without exposing other assignment
    information in the deployment, domains, or projects.

    Subsequent patches will:

      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Co-Authored-By: Lance Bragstad <email address hidden>

    Partial-Bug: 1750673
    Change-Id: I0c6d202a315d4683e2589f0d9121e93c97fb13e4
    (cherry picked from commit 425d48ec0aa44b46c628d8c238bcf97f315d0f05)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/647559
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fb944086d4bdd75efad2cb98472803d363d87108
Submitter: Zuul
Branch: stable/stein

commit fb944086d4bdd75efad2cb98472803d363d87108
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 01:43:32 2019 +0530

    Add role assignment test coverage for domain members

    This commit adds role assignment test coverage for
    users who have the member role assigned on the domain.

    Subsequent patches will:

    - add functionality for domain admins
    - add functionality for project readers
    - add functionality for project members
    - add functionality for project admins
    - remove the obsolete policies from policy.v3cloudsample.json

    Partial-Bug: 1750673
    Change-Id: I13fd19fb1d38ba43a22505e3fdbf552fddc949dd
    (cherry picked from commit 269a2890a9cccf1e5c0e5fd8d7f8c60758c8ff8f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/647560
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2696c36f56aade56ee9f7724db8cce3182b5be37
Submitter: Zuul
Branch: stable/stein

commit 2696c36f56aade56ee9f7724db8cce3182b5be37
Author: Vishakha Agarwal <email address hidden>
Date: Fri Feb 22 01:56:22 2019 +0530

    Add role assignment test coverage for domain admins

    This commit adds role assignment test coverage for users
    who have the admin role assigned on the domain.

    Subsequent patches will:

    - add functionality for project readers
    - add functionality for project members
    - add functionality for project admins
    - remove the obsolete policies from policy.v3cloudsample.json

    Partial-Bug: 1750673
    Change-Id: I6f2231b549650d7e92920d1a67bc41eda5ab8db0
    (cherry picked from commit 25f86d4e29ba085355554000dbf4dd949be37d7d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/647588
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10305cf729a59ac43f752b31db154b0ee268a98b
Submitter: Zuul
Branch: stable/stein

commit 10305cf729a59ac43f752b31db154b0ee268a98b
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 27 15:47:58 2019 +0000

    Add role assignment testing for project users

    This commit adds some scaffolding for testing how user with project
    role assignments should behave with the role assignment API.

    Co-Authored-By: Vishakha Agarwal <email address hidden>
    Closes-Bug: 1750673
    Change-Id: Iec99b5d6b3aa3015d4410ce94fedc646bc4d6f74
    (cherry picked from commit 954b97666937b8ef14fd1510636af4d8e456e918)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc2

This issue was fixed in the openstack/keystone 15.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.