OpenStack Identity (keystone)

Remove obsolete region policies from policy.v3cloudsample.json

Bug #1804292 reported by Lance Bragstad on 2018-11-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

Once support for scope types landed in the region API policies, the policies in policy.v3cloudsample.json became obsolete [0].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for regions.

[0] https://review.openstack.org/#/c/525698/

Tags:

Lance Bragstad (lbragstad) on 2018-11-20

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: policy system-scope

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-20: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619085

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-20:

Related fix proposed to branch: master
Review: https://review.openstack.org/619086

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619241

Lance Bragstad (lbragstad) on 2018-11-21

tags:

removed: system-scope

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619242

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619243

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619244

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-23: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619085
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fdf8cb1f0420eef27592d32f2e10066482304314
Submitter: Zuul
Branch: master

commit fdf8cb1f0420eef27592d32f2e10066482304314
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 19:14:48 2018 +0000

Add region protection tests for system readers

    This commit ensures we test the default roles provided with keystone
    against the scope types used in default region policies. Subsequent
    patches will include testing for:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

    Change-Id: I65a8a291e87a29f7ae819ba1ec177e955708db51
    Related-Bug: 1804292
    Related-Bug: 1804446

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-14:

Reviewed: https://review.openstack.org/619086
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=833b00e57ecb31cf46083d8e976c267139ca18a7
Submitter: Zuul
Branch: master

commit 833b00e57ecb31cf46083d8e976c267139ca18a7
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 20:01:21 2018 +0000

Add region tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable region operations to the
    system ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2253288574fc6b932a5c57bfee8f176e3d10dd84
    Related-Bug: 1804292
    Related-Bug: 1804446

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-15:

Reviewed: https://review.openstack.org/619241
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Submitter: Zuul
Branch: master

commit f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 12:57:14 2018 +0000

Update region policies to use system admin

    This change updates the policies for the regions API to include
    system administrators and includes appropriate test coverage. A
    subsequent set of patches will introduce test coverage for:

- domains user test coverage
- project users test coverage

Related-Bug: 1804292
Closes-Bug: 1804446

Change-Id: I84dd7fc69a2eab9ab8c2130f26a2fb664d5663a5

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-17:

#10

Reviewed: https://review.openstack.org/619242
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=be83c6d71c950a674bf2b3811e9bf2091a6e0b3e
Submitter: Zuul
Branch: master

commit be83c6d71c950a674bf2b3811e9bf2091a6e0b3e
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 13:15:39 2018 +0000

Add tests for domain users interacting with regions

    This commit introduces some tests that show how domains
    users are expected to behave with the regions API. A subsequent
    patch will do the same for project users.

Change-Id: I64020bbd4eeac0bb7b4b8d124c138b74748e01e3
Related-Bug: 1804292

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-17:

#11

Reviewed: https://review.openstack.org/619243
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bb8ebfd659b7b8b5804ec77e20f58fbd777b9fb7
Submitter: Zuul
Branch: master

commit bb8ebfd659b7b8b5804ec77e20f58fbd777b9fb7
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 13:19:34 2018 +0000

Add tests for project users interacting with regions

    This commit introduces some tests that show how project users
    are expected to behave with the regions API. A subsequent patch
    will clean up the now obsolete policies in the v3.cloudsample.json
    policy file.

Change-Id: I3f2fa736019eb143a4747e708b948660a8567705
Related-Bug: 1804292

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-17: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/619244
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1b7db4a0626a58e42d19b60b882c9903b72a92ef
Submitter: Zuul
Branch: master

commit 1b7db4a0626a58e42d19b60b882c9903b72a92ef
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 13:30:14 2018 +0000

Remove region policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default region behavior
    by removing them.

Change-Id: I0f982d71fc4a5d33ed66cb34d7388f3c4655e3ef
Closes-Bug: 1804292

Lance Bragstad (lbragstad) on 2019-02-18

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#13

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.