OpenStack Identity (keystone)

Service API doesn't use default roles

Bug #1804463 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The services API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/service.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

tags:	added: default-roles policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619277

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619278

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619279

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-22: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619277
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ae926e67185e22865d0d2a00ec0722e1119dc509
Submitter: Zuul
Branch: master

commit ae926e67185e22865d0d2a00ec0722e1119dc509
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 14:45:49 2018 +0000

Update service policies for system reader

    The service policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list services. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I5f4de1358de2e086b01b0ecb7cf7e636311f5ab2
    Related-Bug: 1804462
    Related-Bug: 1804463

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-22:

Reviewed: https://review.openstack.org/619278
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=94d02c22ee07b2af97ee79bf2f5311cfbcbf5d8a
Submitter: Zuul
Branch: master

commit 94d02c22ee07b2af97ee79bf2f5311cfbcbf5d8a
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 14:57:18 2018 +0000

Add service tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable service operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable service operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: Ia75d792a497b2f3932ada5352245508e54b55768
    Related-Bug: 1804462
    Related-Bug: 1804463

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-26: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/619279
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f377351ac89f674b3893e2a5f82bbe31186350ce
Submitter: Zuul
Branch: master

commit f377351ac89f674b3893e2a5f82bbe31186350ce
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 15:15:11 2018 +0000

Update service policies for system admin

    The service policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``admin`` role to create and delete services.
    Subsequent patches will incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e
    Related-Bug: 1804462
    Closes-Bug: 1804463

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-02-26

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-16: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682503

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.