OpenStack Identity (keystone)

Remove obsolete service policies from policy.v3cloudsample.json

Bug #1804462 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) stein-3
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Once support for scope types landed in the service API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for services.

[0] https://review.openstack.org/#/c/525696/
[1] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n19

Lance Bragstad (lbragstad) on 2018-11-21
tags: added: policy
Lance Bragstad (lbragstad) on 2018-11-21
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619277

OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/619278

OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/619279

OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/619280

OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/619281

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619282

OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/620623

OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619277
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ae926e67185e22865d0d2a00ec0722e1119dc509
Submitter: Zuul
Branch: master

commit ae926e67185e22865d0d2a00ec0722e1119dc509
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 14:45:49 2018 +0000

    Update service policies for system reader

    The service policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list services. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I5f4de1358de2e086b01b0ecb7cf7e636311f5ab2
    Related-Bug: 1804462
    Related-Bug: 1804463

OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/619278
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=94d02c22ee07b2af97ee79bf2f5311cfbcbf5d8a
Submitter: Zuul
Branch: master

commit 94d02c22ee07b2af97ee79bf2f5311cfbcbf5d8a
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 14:57:18 2018 +0000

    Add service tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable service operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable service operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: Ia75d792a497b2f3932ada5352245508e54b55768
    Related-Bug: 1804462
    Related-Bug: 1804463

OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/619279
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f377351ac89f674b3893e2a5f82bbe31186350ce
Submitter: Zuul
Branch: master

commit f377351ac89f674b3893e2a5f82bbe31186350ce
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 15:15:11 2018 +0000

    Update service policies for system admin

    The service policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``admin`` role to create and delete services.
    Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e
    Related-Bug: 1804462
    Closes-Bug: 1804463

OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/619280
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=875ecfb56fe2c048fcbb8d64971ab06c8e8bf2bf
Submitter: Zuul
Branch: master

commit 875ecfb56fe2c048fcbb8d64971ab06c8e8bf2bf
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 15:31:45 2018 +0000

    Add tests for domain users interacting with services

    This commit introduces some tests that show how domain users are
    expected to behave with the services API. A subsequent patch will do
    the same for project users.

    Change-Id: I87d2229010cb84a3289b2b90f1d8b3f9ba9fd6e4
    Related-Bug: 1804462

OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/620623
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=537c6769ebe10d6267bdca5fb207f65543126bb7
Submitter: Zuul
Branch: master

commit 537c6769ebe10d6267bdca5fb207f65543126bb7
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 28 15:04:42 2018 +0000

    Add tests for project users interacting with services

    This commit introduces some tests that show how project users
    are expected to behave with the services API. A subsequent patch
    will clean up the new obsolete policies in the
    policy.v3cloudsample.json file.

    Change-Id: Ib05e5bf96c992aa498d3812aea5e80dbe1a56377
    Related-Bug: 1804462

OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/619282
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c83fcbc42aac247789c9a53abfbe237fa9640d38
Submitter: Zuul
Branch: master

commit c83fcbc42aac247789c9a53abfbe237fa9640d38
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 15:45:50 2018 +0000

    Remove service policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default service behavior by
    removing them.

    Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e
    Closes-Bug: 1804462

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad) on 2019-03-05
Changed in keystone:
milestone: none → stein-3
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers