OpenStack Identity (keystone)

Remove obsolete endpoint policies from policy.v3cloudsample.json

Bug #1804482 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

Once support for scope types landed in the endpoint API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for endpoints.

[0] https://review.openstack.org/#/c/525695/
[1] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n25

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

tags:	added: policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619329

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619330

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619331

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619332

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619333

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-24: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619329
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dcf8a445ee9d423f8bf9afa0e6786d06186f24e3
Submitter: Zuul
Branch: master

commit dcf8a445ee9d423f8bf9afa0e6786d06186f24e3
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:13:56 2018 +0000

Update endpoint policies for system reader

    The endpoint policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list endpoints. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804482
Related-Bug: 1804483

Change-Id: Idfb0cdab6ff1c4a4fdeed09b83584a973672f363

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-04:

Reviewed: https://review.openstack.org/619330
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7e028774ac9ca1977acc2ef5ee134c5c44817dc6
Submitter: Zuul
Branch: master

commit 7e028774ac9ca1977acc2ef5ee134c5c44817dc6
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:22:30 2018 +0000

Add endpoint tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable endpoint operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable endpoint operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domains user test coverage
     - project user test coverage

    Change-Id: Ia8ccd808e3863bad5539f6d6ee9ae53e1036b24a
    Related-Bug: 1804482
    Related-Bug: 1804483

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-05:

Reviewed: https://review.openstack.org/619331
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cdbdcf85f76d4824fdf56f35c6d846b8f386dd5c
Submitter: Zuul
Branch: master

commit cdbdcf85f76d4824fdf56f35c6d846b8f386dd5c
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:32:45 2018 +0000

Update endpoint policies for system admin

    The endpoint policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``admin`` role to create and delete endpoints.
    Subsequent patches will incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e
    Related-Bug: 1804482
    Closes-Bug: 1804483

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-12:

Reviewed: https://review.openstack.org/619332
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=56f9a218e5d552889a5e50d383fe82c2cda39b56
Submitter: Zuul
Branch: master

commit 56f9a218e5d552889a5e50d383fe82c2cda39b56
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:41:29 2018 +0000

Add tests for domain users interacting with endpoints

    This commit introduces some tests that show how domain users are
    expected to behave with the endpoints API. A subsequent patch will do
    the same for project users.

Change-Id: If3186c6fc1cba68426eedf83f31ae87cbe2060da
Related-Bug: 1804482

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-12:

#10

Reviewed: https://review.openstack.org/619281
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1be7e4b426fbb2d2aa111269777c452a131c7106
Submitter: Zuul
Branch: master

commit 1be7e4b426fbb2d2aa111269777c452a131c7106
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:44:32 2018 +0000

Add tests for project users interacting with endpoints

    This commit introduces some tests that show how project users
    are expected to behave with the endpoints API. A subsequent patch
    will clean up the new obsolete policies in the
    policy.v3cloudsample.json file.

Change-Id: I3cee870e0eb0d0a796b8e08d73d8965b31126d73
Related-Bug: 1804482

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-01: Fix merged to keystone (master)

#11

Reviewed: https://review.openstack.org/619333
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6c6c6049f5558f866270caa193abd9d6c673e296
Submitter: Zuul
Branch: master

commit 6c6c6049f5558f866270caa193abd9d6c673e296
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:48:31 2018 +0000

Remove endpoint policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default endpoint behavior
    by removing them.

Change-Id: I423e54c359b787efdda70f5d141f21e9103f3524
Closes-Bug: 1804482

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-03-01

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#12

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.