Invalid (?) policy.json causing tempest test failure

Bug #1830076 reported by Corey Bryant on 2019-05-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack keystone charm
High
Unassigned

Bug Description

This is probably not a bug but I do want to at least track this somewhere so that we can justify the failing tempest test on Rocky (and possibly previous releases). It seems that the current charm policy is just more strict than upstream's. But this could also be exposing that our policy is quite a bit diverged from upstream.

The following tempest test is successful on a stein deployment but not on rocky:

tox -e smoke -- --regex tempest.api.identity.v3.test_domains.DefaultDomainTestJSON.test_default_domain_exists

If I update the keystone unit's "identity:get_domain" policy in policy.json with the generated policy from upstream stable/rocky (see below) the test passes.

The failure: 'You are not authorized to perform the requested action: identity:get_domain.'

Log msg: Policy identity:get_domain failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required

stable/rocky and stable/stein charm-keystone (policy.json)
----------------------------------------------------------
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",

stable/rocky upstream (policy.json)
-----------------------------------
# Show domain details.
# GET /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:get_domain": "rule:admin_required or project_domain_id:%(target.domain.id)s"

stable/stein upstream (policy.json)
-----------------------------------
# Show domain details.
# GET /v3/domains/{domain_id}
# Intended scope(s): system, domain, project
#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"

# DEPRECATED "identity:get_domain":"rule:admin_required or
# token.project.domain.id:%(target.domain.id)s" has been deprecated
# since S in favor of "identity:get_domain":"(role:reader and
# system_scope:all) or token.domain.id:%(target.domain.id)s or
# token.project.domain.id:%(target.domain.id)s".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
"identity:get_domain": "rule:identity:get_domain"

Narrowing this down some more, the following also allows the test to pass. I believe in this case the rule is comparing the API project domain ID with the domain ID associated with the target:

"identity:get_domain": "project_domain_id:%(target.domain.id)s",

Whereas if I use the following (taken from the current charm-keystone policy.json for rocky) the test fails. I believe in this case the rule is comparing the API token project domain ID with the domain ID associated with the target:

"identity:get_domain": "token.project.domain.id:%(target.domain.id)s",

Corey Bryant (corey.bryant) wrote :

More details in attached text file.

description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated

Looks like this bug is related to this other bug: https://bugs.launchpad.net/keystone/+bug/1810983

Changed in charm-keystone:
status: New → Confirmed
importance: Undecided → Medium
importance: Medium → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments