OpenStack Identity (keystone)

Regions API doesn't use default roles

Bug #1804446 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The regions API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/region.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

See original description

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

description:	updated
Changed in keystone:
status:	New → Confirmed
status:	Confirmed → Triaged
importance:	Undecided → Medium

Lance Bragstad (lbragstad) on 2018-11-21

tags:

added: default-roles

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619241

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Lance Bragstad (lbragstad) on 2018-11-21

tags:

added: policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-23: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619085
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fdf8cb1f0420eef27592d32f2e10066482304314
Submitter: Zuul
Branch: master

commit fdf8cb1f0420eef27592d32f2e10066482304314
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 19:14:48 2018 +0000

Add region protection tests for system readers

    This commit ensures we test the default roles provided with keystone
    against the scope types used in default region policies. Subsequent
    patches will include testing for:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

    Change-Id: I65a8a291e87a29f7ae819ba1ec177e955708db51
    Related-Bug: 1804292
    Related-Bug: 1804446

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-14:

Reviewed: https://review.openstack.org/619086
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=833b00e57ecb31cf46083d8e976c267139ca18a7
Submitter: Zuul
Branch: master

commit 833b00e57ecb31cf46083d8e976c267139ca18a7
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 20:01:21 2018 +0000

Add region tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable region operations to the
    system ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2253288574fc6b932a5c57bfee8f176e3d10dd84
    Related-Bug: 1804292
    Related-Bug: 1804446

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-15: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/619241
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Submitter: Zuul
Branch: master

commit f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 12:57:14 2018 +0000

Update region policies to use system admin

    This change updates the policies for the regions API to include
    system administrators and includes appropriate test coverage. A
    subsequent set of patches will introduce test coverage for:

- domains user test coverage
- project users test coverage

Related-Bug: 1804292
Closes-Bug: 1804446

Change-Id: I84dd7fc69a2eab9ab8c2130f26a2fb664d5663a5

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-02-15

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.