OpenStack Identity (keystone)

Role assignment API doesn't use default roles

Bug #1816833 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The role assignment API (/v3/role_assignments) doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role_assignment.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Setting this to High because it would be really beneficial to have scope work and default roles implemented on this API. Nearly every user in the deployment would benefit from this work.

Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: default-roles policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/638310

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/638311

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/609210
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ca835d913d3fcb136841a1cabc1181c93dc6d12e
Submitter: Zuul
Branch: master

commit ca835d913d3fcb136841a1cabc1181c93dc6d12e
Author: Vishakha Agarwal <email address hidden>
Date: Wed Oct 10 10:55:04 2018 +0530

    Implement system reader for role_assignments

    This change adds tests cases for the default roles
    keystone supports at install time. It also modifies
    the policies for the role_assignments API to be more
    self-service by properly checking for various scopes.

    Subsequent patches will:

      - add test coverage for system members
      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Co-Authored-By: Lance Bragstad <email address hidden>

    Change-Id: I671eec8544f7361c895c19e6785d38993707854e
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638309
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=63c6e6c3974feca80a1ee278df4b18351c18d093
Submitter: Zuul
Branch: master

commit 63c6e6c3974feca80a1ee278df4b18351c18d093
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 20 18:08:40 2019 +0000

    Reorganize role assignment tests for system users

    The GET /v3/role_assignments API is a read-only API, making the
    behavior for all system users the same. They should all be able to
    list and filter role assignments for the entire deployment.

    This commit moves the existing system reader tests into a common class
    that can be reused by other test classes for system members and system
    administrators.

    Subsequent patches will:

      - add test coverage for system members
      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: Ic9b1ad3306bb272d3e24a00009014df16b36a65d
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638310
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b35fb58ea5bd722ba5a0fe415a217b10a9041727
Submitter: Zuul
Branch: master

commit b35fb58ea5bd722ba5a0fe415a217b10a9041727
Author: Lance Bragstad <email address hidden>
Date: Wed Feb 20 18:19:05 2019 +0000

    Add role assignment test coverage for system members

    This commit adds role assignment test coverage for users who have the
    member role assigned on the system.

    Subsequent patches will:

      - add test coverage for system admins
      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: Ie5333bf61a704d4167004457ec1d9b19b4bb01e8
    Partial-Bug: 1750673
    Partial-Bug: 1816833

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/638311
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=321a8cb035ed2b8035b3f3d69eb9ce30b2d15620
Submitter: Zuul
Branch: master

commit 321a8cb035ed2b8035b3f3d69eb9ce30b2d15620
Author: Lance Bragstad <email address hidden>
Date: Thu Feb 21 01:07:40 2019 +0000

    Add role assignment test coverage for system admin

    This commit adds role assignment test coverage for users who have the
    admin role assigned on the system.

    Subsequent patches will:

      - add functionality for domain readers
      - add functionality for domain members
      - add functionality for domain admins
      - add functionality for project readers
      - add functionality for project members
      - add functionality for project admins
      - remove the obsolete policies from policy.v3cloudsample.json

    Change-Id: If0d418a7117623b3bfe11b8e23781d02ac1debf0
    Partial-Bug: 1750673
    Closes-Bug: 1816833

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.