The v3 users API should account for different scopes

Bug #1748027 reported by Lance Bragstad on 2018-02-07
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [1].

The following acceptance criteria describes how the v3 users API should behave with tokens from multiple scopes:

GET /v3/users/{user_id}

- Someone with a system role assignment that passes the check string should be able to call this API for any user in the system
- Someone with a domain role assignment that passes the check string should be able to call this API for any user within the domain
- Someone with a valid token should be able to call this API for their user

GET /v3/users

- Someone with a system role assignment that passes the check string should be able to call this API and get a list of all users in the system
- Someone with a domain role assignment that passes the check string should be able to call this API and get a list of all users within that domain

POST /v3/users

- Someone with a system role assignment that passes the check string should be able to create users anywhere in the system
- Someone with a domain role assignment that passes the check string should only be able to create users within their domain
- Someone with a project role assignment that passes the check string shouldn't be able to create users since users are domain-scoped entities.

PATCH /v3/users/{user_id}

- Someone with a system role assignment that passes the check string should be able to update any user in the system
- Someone with a domain role assignment that passes the check string should only be able to update users within their domain, this should also include rejecting requests to update domain IDs for users that doesn't match the domain they are a part of
- Someone with a project role assignment that passes the check string shouldn't be able to update users since users are domain-scoped.

[0] https://review.openstack.org/#/c/526203/
[1] https://review.openstack.org/#/c/526203/5/keystone/common/policies/user.py@21

tags: added: policy
description: updated
Changed in keystone:
importance: Undecided → High
status: New → Triaged
sonu (sonu-bhumca11) on 2018-04-04
Changed in keystone:
assignee: nobody → sonu (sonu-bhumca11)
Colleen Murphy (krinkle) on 2018-09-19
tags: added: system-scope

Fix proposed to branch: master
Review: https://review.openstack.org/611179

Changed in keystone:
assignee: sonu (sonu-bhumca11) → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/623322

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/611179
Reason: This has been broken into a more reviewable series, starting here [0].

[0] https://review.openstack.org/#/c/605485/15

Reviewed: https://review.openstack.org/605485
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=40d3458fcb29df1daefce9455d1778e800cac378
Submitter: Zuul
Branch: master

commit 40d3458fcb29df1daefce9455d1778e800cac378
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:39:56 2018 +0000

    Implement system reader role for users

    This commit introduces the system reader role to the users API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own user reference.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I9c362e515772540dfa93d05781d955009b9a154d
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623317
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f724f2d9387dc83148dada41a0f9acb294026c2
Submitter: Zuul
Branch: master

commit 4f724f2d9387dc83148dada41a0f9acb294026c2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:48:36 2018 +0000

    Implement system member role user test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable user
    operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623318
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Submitter: Zuul
Branch: master

commit 29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:59:36 2018 +0000

    Implement system admin role in users API

    This commit introduces the system admin role to the users API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain and project users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
    Closes-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623319
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bc217b316e13942cb7f4fc742be988d27bd32aa2
Submitter: Zuul
Branch: master

commit bc217b316e13942cb7f4fc742be988d27bd32aa2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

    Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623320
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9ca599e50610fadc60e1b05c1af37044916575c5
Submitter: Zuul
Branch: master

commit 9ca599e50610fadc60e1b05c1af37044916575c5
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

    Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623321
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf1ce4eb36393cedadb2de2aeba8140c65e09775
Submitter: Zuul
Branch: master

commit cf1ce4eb36393cedadb2de2aeba8140c65e09775
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

    Implement domain admin functionality for user API

    This commit add explicit testing to show how users with the admin role
    on a domain can manage users within thier domain. It also modifies the
    default policies to account for this functionality. A subsequent patch
    will do the same for project users.

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623322
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9e07a940dc6d197709f5a66c8e4ff203d388da1
Submitter: Zuul
Branch: master

commit f9e07a940dc6d197709f5a66c8e4ff203d388da1
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

    Add explicit testing for project users and the user API

    This commit wraps up the user API policy refactor by adding explicit
    testing for how project users are expected to behave with the user
    API. A subsequent patch set will remove the now obsolete user policies
    in policy.v3cloudsample.json.

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-03-24
Changed in keystone:
milestone: none → stein-rc2

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647549

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647550

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647551

Reviewed: https://review.openstack.org/647548
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=69868c6bfdeca737ea7c48057beb3b657e14091b
Submitter: Zuul
Branch: stable/stein

commit 69868c6bfdeca737ea7c48057beb3b657e14091b
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

    Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit bc217b316e13942cb7f4fc742be988d27bd32aa2)

tags: added: in-stable-stein

Reviewed: https://review.openstack.org/647549
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd6da4cd459d330dc2feb017c470da321604784a
Submitter: Zuul
Branch: stable/stein

commit dd6da4cd459d330dc2feb017c470da321604784a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

    Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit 9ca599e50610fadc60e1b05c1af37044916575c5)

Reviewed: https://review.openstack.org/647550
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Submitter: Zuul
Branch: stable/stein

commit a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

    Implement domain admin functionality for user API

    This commit add explicit testing to show how users with the admin role
    on a domain can manage users within thier domain. It also modifies the
    default policies to account for this functionality. A subsequent patch
    will do the same for project users.

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit cf1ce4eb36393cedadb2de2aeba8140c65e09775)

Reviewed: https://review.openstack.org/647551
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Submitter: Zuul
Branch: stable/stein

commit 8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

    Add explicit testing for project users and the user API

    This commit wraps up the user API policy refactor by adding explicit
    testing for how project users are expected to behave with the user
    API. A subsequent patch set will remove the now obsolete user policies
    in policy.v3cloudsample.json.

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696
    (cherry picked from commit f9e07a940dc6d197709f5a66c8e4ff203d388da1)

This issue was fixed in the openstack/keystone 15.0.0.0rc2 release candidate.

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers