OpenStack Keystone Charm

Invalid (?) policy.json causing tempest test failure

Bug #1830076 reported by Corey Bryant
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
High
Unassigned
OpenStack Keystone Charm 21.10

Bug Description

This is probably not a bug but I do want to at least track this somewhere so that we can justify the failing tempest test on Rocky (and possibly previous releases). It seems that the current charm policy is just more strict than upstream's. But this could also be exposing that our policy is quite a bit diverged from upstream.

The following tempest test is successful on a stein deployment but not on rocky:

tox -e smoke -- --regex tempest.api.identity.v3.test_domains.DefaultDomainTestJSON.test_default_domain_exists

If I update the keystone unit's "identity:get_domain" policy in policy.json with the generated policy from upstream stable/rocky (see below) the test passes.

The failure: 'You are not authorized to perform the requested action: identity:get_domain.'

Log msg: Policy identity:get_domain failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required

stable/rocky and stable/stein charm-keystone (policy.json)
----------------------------------------------------------
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",

stable/rocky upstream (policy.json)
-----------------------------------
# Show domain details.
# GET /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:get_domain": "rule:admin_required or project_domain_id:%(target.domain.id)s"

stable/stein upstream (policy.json)
-----------------------------------
# Show domain details.
# GET /v3/domains/{domain_id}
# Intended scope(s): system, domain, project
#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"

# DEPRECATED "identity:get_domain":"rule:admin_required or
# token.project.domain.id:%(target.domain.id)s" has been deprecated
# since S in favor of "identity:get_domain":"(role:reader and
# system_scope:all) or token.domain.id:%(target.domain.id)s or
# token.project.domain.id:%(target.domain.id)s".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
"identity:get_domain": "rule:identity:get_domain"

Narrowing this down some more, the following also allows the test to pass. I believe in this case the rule is comparing the API project domain ID with the domain ID associated with the target:

"identity:get_domain": "project_domain_id:%(target.domain.id)s",

Whereas if I use the following (taken from the current charm-keystone policy.json for rocky) the test fails. I believe in this case the rule is comparing the API token project domain ID with the domain ID associated with the target:

"identity:get_domain": "token.project.domain.id:%(target.domain.id)s",

See original description
Revision history for this message
Corey Bryant (corey.bryant) wrote :

More details in attached text file.

description: updated
Corey Bryant (corey.bryant)
description: updated
description: updated
Corey Bryant (corey.bryant)
description: updated
description: updated
description: updated
Corey Bryant (corey.bryant)
description: updated
Corey Bryant (corey.bryant)
description: updated
description: updated
Revision history for this message
Martin Chlumsky (martin-chlumsky) wrote :

Looks like this bug is related to this other bug: https://bugs.launchpad.net/keystone/+bug/1810983

Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
status: New → Confirmed
importance: Undecided → Medium
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-keystone/+/796515

Changed in charm-keystone:
status: Confirmed → In Progress
Billy Olsen (billy-olsen)
Changed in charm-keystone:
milestone: none → 21.10
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone/+/796515
Committed: https://opendev.org/openstack/charm-keystone/commit/cef78d47fb1dd865e4058e32460adc07b44a105d
Submitter: "Zuul (22348)"
Branch: master

commit cef78d47fb1dd865e4058e32460adc07b44a105d
Author: James Page <email address hidden>
Date: Tue Jun 15 16:12:02 2021 +0100

    policy: correct domain_id match for admin_and_matching_domain_id

    Ensure that the 'admin_and_matching_domain_id' rule correct
    matches to the target.domain_id field, ensuring that domain
    admins can actually query user and projects within a domain.

    Change-Id: I4c000363dd7746f401613d99210e8ca12f34b010
    Closes-Bug: 1830076

Changed in charm-keystone:
status: In Progress → Fix Committed
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.