OpenStack Identity (keystone)

Domains API should account for system-scope and default roles

Bug #1794376 reported by Lance Bragstad
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-2

Bug Description

Keystone domains are an important resource that only system administrators, members, or readers should be able to manage. We should update the domain policies to include system-scoped test coverage and consumption of the new default roles in keystone.

System administrators should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}
  - POST /v3/domains/
  - PATCH /v3/domains/{domain_id}
  - DELETE /v3/domains/{domain_id}

System members should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}
  - PATCH /v3/domains/{domain_id}

System readers should be able to:
  - GET /v3/domains/
  - GET /v3/damains/{domain_id}

Lance Bragstad (lbragstad)
tags: added: policy
Changed in keystone:
status: New → Triaged
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/605485

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/605849

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/605850

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/605851

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/605871

Lance Bragstad (lbragstad)
tags: added: default-roles system-scope
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623317

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623318

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623319

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623320

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623321

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/623334

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/623334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e8849561bb05f52379531bfc69da8c348f97b28
Submitter: Zuul
Branch: master

commit 9e8849561bb05f52379531bfc69da8c348f97b28
Author: Lance Bragstad <email address hidden>
Date: Wed Sep 26 16:47:39 2018 +0000

    Implement system reader role in domains API

    This commit introduces the system reader role to the API, making it
    easier for administrators to delegate subsets of responsibilities to
    the API by default.

    Subsequent patches will include domain support for:

      - system members test coverage
      - system admins functionality
      - domain user test coverage
      - project user test coverage

    Change-Id: I2e0a5de931049627e6ceb48b1c0e44205f3388e1
    Partial-Bug: 1794376
    Partial-Bug: 968696

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/605849
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d5a57414b4d69d5c10e767a94795deb0bc003612
Submitter: Zuul
Branch: master

commit d5a57414b4d69d5c10e767a94795deb0bc003612
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 18:15:48 2018 +0000

    Implement system member role domain test coverage

    This commit introduces the system member role to the API, making sure
    system members can execute readable operations, leaving writable
    domain operations to system administrators.

    Subsequent patches will include domain support for:

      - system admin functionality
      - domain user test coverage
      - project user test coverage

    Change-Id: I1d21ba562b007b43fc36a7a2010d35591ca3bae5
    Partial-Bug: 1794376
    Partial-Bug: 968696

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/605850
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7fa424f1de1ac29c2d34d02cae04b845df5837b1
Submitter: Zuul
Branch: master

commit 7fa424f1de1ac29c2d34d02cae04b845df5837b1
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 18:26:48 2018 +0000

    Implement system admin role in domains API

    This commit introduces the system admin role to the API, making it
    consistent with other system-admin policy definitions.

    Subsequent patches will include domain support for:

      - domain user test coverage
      - project user test coverage

    Change-Id: Ic9a789dc3f34d9735de3b4bc4bd48b41190cbfba
    Closes-Bug: 1794376
    Partial-Bug: 968696

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.