`keystone-manage bootstrap` doesn't handle system role assignments

Bug #1749268 reported by Lance Bragstad on 2018-02-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad
Queens
High
Lance Bragstad

Bug Description

The whole purpose of the `keystone-manage bootstrap` command is to help operators establish an admin account they can use to administer the rest of the deployment. It does this by granting the admin user in the bootstrap command an admin role on a project [0].

A system role assignment should also be created so that operators don't lock themselves out of APIs if they set enabled_scope=True in configuration but don't actually have a user with any system role assignments.

[0] https://github.com/openstack/keystone/blob/69b8815d046c4eb0164070976e4351b81a15a0e2/keystone/cmd/cli.py#L283-L293

Changed in keystone:
milestone: none → queens-rc2
importance: Undecided → High
status: New → Triaged
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
tags: added: queens-backport-potential

Reviewed: https://review.openstack.org/530410
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3c524e6491c1b35a2f8413ebe046c238bf530d71
Submitter: Zuul
Branch: master

commit 3c524e6491c1b35a2f8413ebe046c238bf530d71
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 28 22:11:32 2017 +0000

    Grant admin a role on the system during bootstrap

    Now that we have system scope in place, we should make sure at least
    one user has a role assignment on the system. We can do this at the
    same time we grant the user a role on a project during bootstrap.

    This is backwards compatible because even if a deployment doesn't use
    system-scope, the assignment will just sit there. The deployment will
    have to opt into enforcing scope by updating configuration options
    for oslo.policy to enforce scoping.

    This shouldn't prevent deployments from fixing bug 968696 and using
    system scope.

    Closes-Bug: 1749268

    Change-Id: I6b7196a28867d9a699716c8fef2609d608a5b2a2

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: queens-rc2 → rocky-1

Reviewed: https://review.openstack.org/544097
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ddd7ff300e9159899f27a27fb3dda8ef9b91be1f
Submitter: Zuul
Branch: stable/queens

commit ddd7ff300e9159899f27a27fb3dda8ef9b91be1f
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 28 22:11:32 2017 +0000

    Grant admin a role on the system during bootstrap

    Now that we have system scope in place, we should make sure at least
    one user has a role assignment on the system. We can do this at the
    same time we grant the user a role on a project during bootstrap.

    This is backwards compatible because even if a deployment doesn't use
    system-scope, the assignment will just sit there. The deployment will
    have to opt into enforcing scope by updating configuration options
    for oslo.policy to enforce scoping.

    This shouldn't prevent deployments from fixing bug 968696 and using
    system scope.

    Closes-Bug: 1749268

    Change-Id: I6b7196a28867d9a699716c8fef2609d608a5b2a2
    (cherry picked from commit 3c524e6491c1b35a2f8413ebe046c238bf530d71)

This issue was fixed in the openstack/keystone 13.0.0.0rc2 release candidate.

This issue was fixed in the openstack/keystone 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers