OpenStack Identity (keystone)

Remove obsolete mapping policies from policy.v3cloudsample.json

Bug #1804519 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

Once support for scope types landed in the mapping API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for mappings.

[0] https://review.openstack.org/#/c/525701/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n210

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

tags:	added: policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619612

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22:

Related fix proposed to branch: master
Review: https://review.openstack.org/619613

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22:

Related fix proposed to branch: master
Review: https://review.openstack.org/619614

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22:

Related fix proposed to branch: master
Review: https://review.openstack.org/619615

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22:

Related fix proposed to branch: master
Review: https://review.openstack.org/619616

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619617

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-01: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619612
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cc256054c0d16801bcd241148793ab741e0d2995
Submitter: Zuul
Branch: master

commit cc256054c0d16801bcd241148793ab741e0d2995
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 14:58:58 2018 +0000

Update mapping policies for system reader

    The mapping policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list mappings. Subsequent
    patches will incorporate:

     - system member
     - system admin
     - domain users
     - project users

Related-Bug: 1804519
Related-Bug: 1804521

Change-Id: I2fe143dc75dd702665ea1ba643d4ae7700b748ac

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18:

Reviewed: https://review.openstack.org/619613
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Submitter: Zuul
Branch: master

commit 57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 15:58:23 2018 +0000

Add mapping tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same. This is primarily because the member role is
    really meant for project members and project-specific resources, which
    doesn't apply to mapping resources.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

Related-Bug: 1804519
Related-Bug: 1804521

Change-Id: I8a7ecd37f4db59fb8e10b68b03bbaea543484e6d

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18:

Reviewed: https://review.openstack.org/619614
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e94dff934a07aabfce5cf23943cb338b07093912
Submitter: Zuul
Branch: master

commit e94dff934a07aabfce5cf23943cb338b07093912
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:09:43 2018 +0000

Update mapping policies for system admin

    This change makes the policy definitions for admin mapping operations
    consistent with the other mapping policies. Subsequent patches will
    incorporate:

- testing for domain users
- testing for project users

    Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6
    Related-Bug: 1804519
    Closes-Bug: 1804521

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-19:

#10

Reviewed: https://review.openstack.org/619615
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef529f29017b6d3ee79c9a1045da5d6d125f2df3
Submitter: Zuul
Branch: master

commit ef529f29017b6d3ee79c9a1045da5d6d125f2df3
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:20:13 2018 +0000

Add tests for domain users interacting with mappings

    This commit introduces some tests that show how domain users are
    expected to behave with the federated mapping API. A
    subsequent patch will do the same for project users.

Change-Id: I743100a8e3a5c272a96e6679243d30199461958f
Related-Bug: 1804519

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-21:

#11

Reviewed: https://review.openstack.org/619616
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e4e258a5dccd6188564d54305ad6e3d1805c17d8
Submitter: Zuul
Branch: master

commit e4e258a5dccd6188564d54305ad6e3d1805c17d8
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:28:53 2018 +0000

Add tests for project users interacting with mappings

    This commit introduces some tests that show how project users
    are expected to behave with the federated mappings API.
    A subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json file.

Change-Id: I4c8d8dd8474a8374d68458e3903c379ee44bc731
Related-Bug: 1804519

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-21: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/619617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=65f76c17220ae6db70daf34146ea43412f1ef79d
Submitter: Zuul
Branch: master

commit 65f76c17220ae6db70daf34146ea43412f1ef79d
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:34:40 2018 +0000

Remove mapping policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default mapping
    behavior by removing them.

Change-Id: Ie01b5a79aaf363b3783c92578f56654b993b5e76
Closes-Bug: 1804519

Colleen Murphy (krinkle) on 2019-02-21

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#13

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.