OpenStack Identity (keystone)

Remove obsolete role policies from policy.v3cloudsample.json

Bug #1806713 reported by Lance Bragstad on 2018-12-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

Once support for scope types landed in the role API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for limits and registered limits.

[0] https://review.openstack.org/#/c/526171/
[1] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n91

Tags:

Lance Bragstad (lbragstad) on 2018-12-04

tags:

added: policy

Lance Bragstad (lbragstad) on 2018-12-04

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/622524

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04:

Related fix proposed to branch: master
Review: https://review.openstack.org/622525

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04:

Related fix proposed to branch: master
Review: https://review.openstack.org/622526

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04:

Related fix proposed to branch: master
Review: https://review.openstack.org/622527

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04:

Related fix proposed to branch: master
Review: https://review.openstack.org/622528

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/622529

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-07: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/622524
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=567f305b41414f1468147e5eba903871bfbe7392
Submitter: Zuul
Branch: master

commit 567f305b41414f1468147e5eba903871bfbe7392
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:45:42 2018 +0000

Update role policies for system reader

    The role policies were not taking the default roles work we did last
    release into account. This commit changes the default policies to rely
    on the ``reader`` role for getting and listing roles. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
    Related-Bug: 1805402
    Related-Bug: 1806713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-08:

Reviewed: https://review.openstack.org/622525
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd9d06c6379d1f9cb046ae49406330a31bb63a09
Submitter: Zuul
Branch: master

commit dd9d06c6379d1f9cb046ae49406330a31bb63a09
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:50:41 2018 +0000

Add role tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable role operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable role operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
    Related-Bug: 1805402
    Related-Bug: 1806713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-27:

Reviewed: https://review.openstack.org/622526
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2ca4836a956b2d81728447d44efdff96e2ec39df
Submitter: Zuul
Branch: master

commit 2ca4836a956b2d81728447d44efdff96e2ec39df
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:07:07 2018 +0000

Update role policies for system admin

    This change makes the policy definitions for admin role operations
    consistent with other role policies. Subsequent patches will
    incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
    Related-Bug: 1806713
    Closes-Bug: 1805402

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Fix merged to keystone (master)

#10

Reviewed: https://review.openstack.org/622527
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=31eecfb2a42e44899ea2f72866be33cc7700db65
Submitter: Zuul
Branch: master

commit 31eecfb2a42e44899ea2f72866be33cc7700db65
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:16:34 2018 +0000

Add tests for domain users interacting with roles

    This commit adds explicit tests that show how domain users
    are expected to behave with global roles. A subsequent patch
    will do the same for project users.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
    domain users were allowed to get and list global roles. So were
    project users. This behavior is changing because global roles are
    considered global resources of the deployment, and they should be
    managed by system users. Domain users should be able to add and remove
    domain specific roles, which will come in a subsequent series of
    patches. This approach is being taken because it is a safer default
    for a system level resource (roles) and still allows the same
    functionality for domain users through domain-specific roles.

    Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
    Partial-Bug: 1806713
    Partial-Bug: 1805400

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28:

#11

Reviewed: https://review.openstack.org/622528
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=512f0b4f7bb369bf4287d76a80e3bafd0cd0e0e2
Submitter: Zuul
Branch: master

commit 512f0b4f7bb369bf4287d76a80e3bafd0cd0e0e2
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:18:35 2018 +0000

Add tests for project users interacting with roles

    This commit introduces test coverage that explicitly shows how
    project users are expected to behave global role resources. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

Change-Id: Id0dc3022ab294e73aeaa87e130bea4809f8c982b
Partial-Bug: 1806713

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28:

#12

Reviewed: https://review.openstack.org/622529
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d756ad61247828319b184b6894fe8cabd7a5968
Submitter: Zuul
Branch: master

commit 6d756ad61247828319b184b6894fe8cabd7a5968
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:23:36 2018 +0000

Remove role policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default role behavior by
    removing them.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies, hence the removed tests. In
    policy.v3cloudsample.json, domain users were allowed to get and list
    global roles. So were project users. This behavior is changing because
    global roles are considered global resources of the deployment, and
    they should be managed by system users. Domain users should be able to
    add and remove domain specific roles, which will come in a subsequent
    series of patches. This approach is being taken because it is a safer
    default for a system level resource (global roles) and still allows
    the same functionality for domain users through domain-specific roles.

Change-Id: Iddaa59024a1dcefd4d791b95413602865888c1ff
Closes-Bug: 1806713

Colleen Murphy (krinkle) on 2019-02-28

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#13

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.