The v3 grant API should account for different scopes

Bug #1750669 reported by Lance Bragstad on 2018-02-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Vishakha Agarwal

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 grant API should behave with tokens from multiple scopes.

GET /target/{target_id}/actor/{actor_id}/roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to check any grant in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to make checks against users, domains, and projects they administer (domain-scoped)

GET /targets/{target_id}/actors/{actor_id}/roles

- Someone with a system role assignment that passes the check string should be able to list all grants in the deployment, regardless of the target or actor (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to list grants against users and projects within the domain they administer (domain-scoped)

PUT /target/{target_id}/actor/{actor_id}/roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to create grants, regardless of the actor or target (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to create grants with users and projects within the domain they administer (domain-scoped)

DELETE /target/{target_id}/actor/{actor_id}/roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to remove grants regardless of the actor or target (system-scoped)
- Someone with a domain role assignment that passes the check string should only be able to remove grants from users and projects within the domain they administer (domain-scoped)

[0] https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/grant.py#L62-L67

Changed in keystone:
status: New → Triaged
importance: Undecided → High
description: updated
summary: - The v3 assignment API should account for different scopes
+ The v3 grant API should account for different scopes
description: updated
Colleen Murphy (krinkle) on 2018-09-19
tags: added: system-scope
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.openstack.org/612615

Changed in keystone:
status: Triaged → In Progress

Related fix proposed to branch: master
Review: https://review.openstack.org/645021

Related fix proposed to branch: master
Review: https://review.openstack.org/645022

Related fix proposed to branch: master
Review: https://review.openstack.org/645023

Related fix proposed to branch: master
Review: https://review.openstack.org/645024

Related fix proposed to branch: master
Review: https://review.openstack.org/645309

Related fix proposed to branch: master
Review: https://review.openstack.org/645310

Related fix proposed to branch: master
Review: https://review.openstack.org/645311

Reviewed: https://review.openstack.org/622615
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=465a8bb59be13739253a52d7e457067cf63d3ba8
Submitter: Zuul
Branch: master

commit 465a8bb59be13739253a52d7e457067cf63d3ba8
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000

    Update system grant policies for system reader

    The system grant policies were not taking the default roles work we
    did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for getting and listing system
    assignments. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I838c85f315864d2f0baf747d6bcc546724e4673a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Related fix proposed to branch: master
Review: https://review.openstack.org/645890

Reviewed: https://review.openstack.org/645021
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bb4192e88d88b781b2a821f3a499b7168b7bbc31
Submitter: Zuul
Branch: master

commit bb4192e88d88b781b2a821f3a499b7168b7bbc31
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:18:32 2019 +0000

    Update system grant policies for system member

    This commit ensures users with the ``member`` role on the system can
    perform read-only operations against the system assignment API.

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I834475da2343ba87fb169689f71d4cb4713f6786
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645022
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8f4e179c69eae7ced731776717c09a979bd67cc5
Submitter: Zuul
Branch: master

commit 8f4e179c69eae7ced731776717c09a979bd67cc5
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:40:55 2019 +0000

    Update system grant policies for system admin

    This commit updates the policies for adding and removing system
    assignments from users to be consistent with other system-scoped
    policies.

     - domain user test coverage
     - project user test coverage

    Change-Id: Ia24a81669477ca5c737d0dedefac0c8fb0edc51a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645023
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8450d4a9cc76ce9e476d3cadf863f40f072f4cfe
Submitter: Zuul
Branch: master

commit 8450d4a9cc76ce9e476d3cadf863f40f072f4cfe
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:49:32 2019 +0000

    Test domain users against system assignment API

    This commit ensures that domain users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

     - project user test coverage

    Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fac844c4ae058c148889b636ab6cbb637df7e554
Submitter: Zuul
Branch: master

commit fac844c4ae058c148889b636ab6cbb637df7e554
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:58:51 2019 +0000

    Test project users against system assignment API

    This commit ensures that project users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

    Change-Id: I8b5add170ba0d9eec42f2d088f4b89aa801136df
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645309
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=593e67e6ca429c6e6b54c5453a05c40a73abee85
Submitter: Zuul
Branch: master

commit 593e67e6ca429c6e6b54c5453a05c40a73abee85
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:21:42 2019 +0000

    Update system group assignment policies for reader and member

    This commit introduces the reader and member default roles to the
    system assignment API for groups. Users with the `reader` and `member`
    role on the system should be able to list and check system role
    assignments for all users in the deployment.

    Subsequent patches will:

      - simplify the policies for system admin
      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I7eebb1b07213a1406e98f8a621ec44c87b812457
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645310
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ba09e89ba1b8a883b09ca81f43bf54bd870411c1
Submitter: Zuul
Branch: master

commit ba09e89ba1b8a883b09ca81f43bf54bd870411c1
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:29:21 2019 +0000

    Update group system grant policies for admins

    This commit updates the policies for adding and removing system
    assignments from groups to be consistent with other system-scoped
    policies.

    Subsequent patches will build on this work and:

      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I90ecc67dbae60c74b69bb227a08205d4415bd16e
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645311
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6e118bad3d49bc1da7137a406fb8cb2e3da931ca
Submitter: Zuul
Branch: master

commit 6e118bad3d49bc1da7137a406fb8cb2e3da931ca
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:54:06 2019 +0000

    Test domain and project users against group system assignment API

    This commit ensures that domain and project users are not able to
    operate on system role assignments for groups in anyway since they
    lack the proper authorization to do so.

    Subsequent patches will:

     - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647674

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647675

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647676

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647677

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647678

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647679

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647680

Reviewed: https://review.openstack.org/645889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba
Submitter: Zuul
Branch: master

commit d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000

    Implement system reader functionality for grants

    This commit opens up the assignment API for system readers and system
    members to list and check grants for users and groups on projects and
    domains. Subsequent patches will:

     - refactor system admin policy checks
     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Change-Id: I04bafe2f7c83addddf18591eaeba80277321139b
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645890
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef838a3a3f575562b1fc84623c3a8491d4f2e2f4
Submitter: Zuul
Branch: master

commit ef838a3a3f575562b1fc84623c3a8491d4f2e2f4
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000

    Make system admin policies consistent for grants

    This commit adjust the create and revoke grant policies to be
    consistent with other system admin policy check strings by not using
    the rule:admin_required check string and by including system_scope:all
    in the rule itself.

    Subsequent patches will:

     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

    Change-Id: Idcbe16f643332d80af716074cf3ea22525d465a9

Reviewed: https://review.openstack.org/647673
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd08266abb3a4fb18ac05921ca11c4768daa2f6d
Submitter: Zuul
Branch: stable/stein

commit fd08266abb3a4fb18ac05921ca11c4768daa2f6d
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000

    Update system grant policies for system reader

    The system grant policies were not taking the default roles work we
    did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for getting and listing system
    assignments. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I838c85f315864d2f0baf747d6bcc546724e4673a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 465a8bb59be13739253a52d7e457067cf63d3ba8)

tags: added: in-stable-stein

Reviewed: https://review.openstack.org/647674
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0786fde3932e218ef355a6cc958f83c3c7033686
Submitter: Zuul
Branch: stable/stein

commit 0786fde3932e218ef355a6cc958f83c3c7033686
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:18:32 2019 +0000

    Update system grant policies for system member

    This commit ensures users with the ``member`` role on the system can
    perform read-only operations against the system assignment API.

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I834475da2343ba87fb169689f71d4cb4713f6786
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit bb4192e88d88b781b2a821f3a499b7168b7bbc31)

Reviewed: https://review.openstack.org/647675
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ad108dafe2bdd1b6523d6f45315bb136b9b01408
Submitter: Zuul
Branch: stable/stein

commit ad108dafe2bdd1b6523d6f45315bb136b9b01408
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:40:55 2019 +0000

    Update system grant policies for system admin

    This commit updates the policies for adding and removing system
    assignments from users to be consistent with other system-scoped
    policies.

     - domain user test coverage
     - project user test coverage

    Change-Id: Ia24a81669477ca5c737d0dedefac0c8fb0edc51a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 8f4e179c69eae7ced731776717c09a979bd67cc5)

Reviewed: https://review.openstack.org/647676
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4ccb4c258f54642a272e0d865aa1768b7f1ffee5
Submitter: Zuul
Branch: stable/stein

commit 4ccb4c258f54642a272e0d865aa1768b7f1ffee5
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:49:32 2019 +0000

    Test domain users against system assignment API

    This commit ensures that domain users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

     - project user test coverage

    Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 8450d4a9cc76ce9e476d3cadf863f40f072f4cfe)

Reviewed: https://review.openstack.org/647677
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=de083009eb51d1af086387bbac0dca8d3c4474c0
Submitter: Zuul
Branch: stable/stein

commit de083009eb51d1af086387bbac0dca8d3c4474c0
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:58:51 2019 +0000

    Test project users against system assignment API

    This commit ensures that project users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

    Change-Id: I8b5add170ba0d9eec42f2d088f4b89aa801136df
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit fac844c4ae058c148889b636ab6cbb637df7e554)

Reviewed: https://review.openstack.org/647678
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d8ac830a1ed6a571db6987d4ef657cf3e04d640
Submitter: Zuul
Branch: stable/stein

commit 1d8ac830a1ed6a571db6987d4ef657cf3e04d640
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:21:42 2019 +0000

    Update system group assignment policies for reader and member

    This commit introduces the reader and member default roles to the
    system assignment API for groups. Users with the `reader` and `member`
    role on the system should be able to list and check system role
    assignments for all users in the deployment.

    Subsequent patches will:

      - simplify the policies for system admin
      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I7eebb1b07213a1406e98f8a621ec44c87b812457
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 593e67e6ca429c6e6b54c5453a05c40a73abee85)

Reviewed: https://review.openstack.org/647679
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=02eebfe5732fb9935331551e223337b22db7aebd
Submitter: Zuul
Branch: stable/stein

commit 02eebfe5732fb9935331551e223337b22db7aebd
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:29:21 2019 +0000

    Update group system grant policies for admins

    This commit updates the policies for adding and removing system
    assignments from groups to be consistent with other system-scoped
    policies.

    Subsequent patches will build on this work and:

      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I90ecc67dbae60c74b69bb227a08205d4415bd16e
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit ba09e89ba1b8a883b09ca81f43bf54bd870411c1)

Reviewed: https://review.openstack.org/647680
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=56e48127938be2d67b984d00b155833532233713
Submitter: Zuul
Branch: stable/stein

commit 56e48127938be2d67b984d00b155833532233713
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:54:06 2019 +0000

    Test domain and project users against group system assignment API

    This commit ensures that domain and project users are not able to
    operate on system role assignments for groups in anyway since they
    lack the proper authorization to do so.

    Subsequent patches will:

     - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 6e118bad3d49bc1da7137a406fb8cb2e3da931ca)

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647815

Reviewed: https://review.openstack.org/647814
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=db3b293cdea31b5a2b4fab1108d905832ee15550
Submitter: Zuul
Branch: stable/stein

commit db3b293cdea31b5a2b4fab1108d905832ee15550
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000

    Implement system reader functionality for grants

    This commit opens up the assignment API for system readers and system
    members to list and check grants for users and groups on projects and
    domains. Subsequent patches will:

     - refactor system admin policy checks
     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Change-Id: I04bafe2f7c83addddf18591eaeba80277321139b
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba)

Reviewed: https://review.openstack.org/647815
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=933b7509a4177680158baeeb582f82470f73ae38
Submitter: Zuul
Branch: stable/stein

commit 933b7509a4177680158baeeb582f82470f73ae38
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000

    Make system admin policies consistent for grants

    This commit adjust the create and revoke grant policies to be
    consistent with other system admin policy check strings by not using
    the rule:admin_required check string and by including system_scope:all
    in the rule itself.

    Subsequent patches will:

     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

    Change-Id: Idcbe16f643332d80af716074cf3ea22525d465a9
    (cherry picked from commit ef838a3a3f575562b1fc84623c3a8491d4f2e2f4)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers