OpenStack Identity (keystone)

Service provider API doesn't use default roles

Bug #1804522 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The service provider (federation) API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/service_provider.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

tags:	added: default-roles policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/620156

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26:

Related fix proposed to branch: master
Review: https://review.openstack.org/620157

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/620158

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-03: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/620156
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Submitter: Zuul
Branch: master

commit acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 19:46:30 2018 +0000

Update service provider policies for system reader

    The service provider policies were not taking the default roles work
    we did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for get and list service
    providers. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804520
Related-Bug: 1804522

Change-Id: I54fde6f6395b55a0798157346af3188bc756ba50

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-03:

Reviewed: https://review.openstack.org/620157
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e22bafa25bced833115530401ef878f5e1d1c7eb
Submitter: Zuul
Branch: master

commit e22bafa25bced833115530401ef878f5e1d1c7eb
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:29:00 2018 +0000

Add service provider tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable service provider operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable service provider
    operations. Subsequent patches will incorporate.

     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804520
Related-Bug: 1804522

Change-Id: Iecc39d5e4f1a4dc9293e67ee86f23f9a119793a8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-25: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/620158
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ce5e3e24e8291c0af387a72ce7b47c3b28a9f74
Submitter: Zuul
Branch: master

commit 7ce5e3e24e8291c0af387a72ce7b47c3b28a9f74
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:43:09 2018 +0000

Update service provider policies for system admin

    This change makes the policy definitions for admin service
    provider operations consistent with the other service provider
    policies. Subsequent patches will incorporate:

- domain users test coverage
- project users test coverage

    Change-Id: I621192f089d1b29e2585d0030716348274e50bf1
    Related-Bug: 1804520
    Closes-Bug: 1804522

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-01-25

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.