tripleo

From rocky keystone is bootstrapped with a 'member' ; CephRgw used to allow 'Member' instead

Bug #1847539 reported by Giulio Fidente
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Giulio Fidente
tripleo train-rc1

Bug Description

With the implementation of the keystone blueprint basic-default-roles [1] in rocky, a role called 'member' is created in keystone by default.

Before rocky instead, the role was created after keystone started and used to be named 'Member'.

CephRgw is whitelisting the roles which allowed to create content and it used to only permits access to admin and Member

1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/687680

Changed in tripleo:
assignee: nobody → Giulio Fidente (gfidente)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/687680
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1357a131c83e0d4c699df5b9230c382a803eb5d7
Submitter: Zuul
Branch: master

commit 1357a131c83e0d4c699df5b9230c382a803eb5d7
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/688651

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/688651
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7ecd756b7c5eff4ef938fced335d75123749b1f3
Submitter: Zuul
Branch: stable/stein

commit 7ecd756b7c5eff4ef938fced335d75123749b1f3
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539
    (cherry picked from commit 1357a131c83e0d4c699df5b9230c382a803eb5d7)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/688893

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.3.0

This issue was fixed in the openstack/tripleo-heat-templates 11.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/688893
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bf18f6e36fda46313867b94cd2d28009caf94b15
Submitter: Zuul
Branch: stable/rocky

commit bf18f6e36fda46313867b94cd2d28009caf94b15
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539
    (cherry picked from commit 1357a131c83e0d4c699df5b9230c382a803eb5d7)
    (cherry picked from commit 7ecd756b7c5eff4ef938fced335d75123749b1f3)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.6.2

This issue was fixed in the openstack/tripleo-heat-templates 10.6.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates rocky-eol

This issue was fixed in the openstack/tripleo-heat-templates rocky-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.