Regions API doesn't use default roles

Bug #1804446 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The regions API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/region.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

description: updated
Changed in keystone:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Medium
tags: added: default-roles

Fix proposed to branch: master
Review: https://review.openstack.org/619241

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
tags: added: policy

Reviewed: https://review.openstack.org/619085
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fdf8cb1f0420eef27592d32f2e10066482304314
Submitter: Zuul
Branch: master

commit fdf8cb1f0420eef27592d32f2e10066482304314
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 19:14:48 2018 +0000

    Add region protection tests for system readers

    This commit ensures we test the default roles provided with keystone
    against the scope types used in default region policies. Subsequent
    patches will include testing for:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

    Change-Id: I65a8a291e87a29f7ae819ba1ec177e955708db51
    Related-Bug: 1804292
    Related-Bug: 1804446

Reviewed: https://review.openstack.org/619086
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=833b00e57ecb31cf46083d8e976c267139ca18a7
Submitter: Zuul
Branch: master

commit 833b00e57ecb31cf46083d8e976c267139ca18a7
Author: Lance Bragstad <email address hidden>
Date: Tue Nov 20 20:01:21 2018 +0000

    Add region tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable region operations to the
    system ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2253288574fc6b932a5c57bfee8f176e3d10dd84
    Related-Bug: 1804292
    Related-Bug: 1804446

Reviewed: https://review.openstack.org/619241
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Submitter: Zuul
Branch: master

commit f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 12:57:14 2018 +0000

    Update region policies to use system admin

    This change updates the policies for the regions API to include
    system administrators and includes appropriate test coverage. A
    subsequent set of patches will introduce test coverage for:

     - domains user test coverage
     - project users test coverage

     Related-Bug: 1804292
     Closes-Bug: 1804446

    Change-Id: I84dd7fc69a2eab9ab8c2130f26a2fb664d5663a5

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-02-15
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers