Endpoint API doesn't use default roles

Bug #1804483 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The endpoint API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/endpoint.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

tags: added: policy
tags: added: default-roles
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/619330

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/619329
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dcf8a445ee9d423f8bf9afa0e6786d06186f24e3
Submitter: Zuul
Branch: master

commit dcf8a445ee9d423f8bf9afa0e6786d06186f24e3
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:13:56 2018 +0000

    Update endpoint policies for system reader

    The endpoint policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list endpoints. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804482
     Related-Bug: 1804483

    Change-Id: Idfb0cdab6ff1c4a4fdeed09b83584a973672f363

Reviewed: https://review.openstack.org/619330
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7e028774ac9ca1977acc2ef5ee134c5c44817dc6
Submitter: Zuul
Branch: master

commit 7e028774ac9ca1977acc2ef5ee134c5c44817dc6
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:22:30 2018 +0000

    Add endpoint tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable endpoint operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable endpoint operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domains user test coverage
     - project user test coverage

    Change-Id: Ia8ccd808e3863bad5539f6d6ee9ae53e1036b24a
    Related-Bug: 1804482
    Related-Bug: 1804483

Reviewed: https://review.openstack.org/619331
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cdbdcf85f76d4824fdf56f35c6d846b8f386dd5c
Submitter: Zuul
Branch: master

commit cdbdcf85f76d4824fdf56f35c6d846b8f386dd5c
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 17:32:45 2018 +0000

    Update endpoint policies for system admin

    The endpoint policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``admin`` role to create and delete endpoints.
    Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: Ia6dc4526ece07e7fee614ec91b0953db8f180c2e
    Related-Bug: 1804482
    Closes-Bug: 1804483

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers