OpenStack Identity (keystone)

Identity provider API doesn't use default roles

Bug #1804516 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

OpenStack Identity (keystone)

Fix Released

Medium

Lance Bragstad

OpenStack Identity (keystone) stein-3

You need to log in to change this bug's status.

Affecting:	OpenStack Identity (keystone)
Filed here by:	Lance Bragstad
When:	2018-11-21
Confirmed:	2018-11-21
Assigned:	2018-11-21
Started work:	2018-11-21
Completed:	2019-02-22

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance	Milestone
	Medium	OpenStack Identity (keystone) stein-3

Assigned to

	Me
	Lance Bragstad (lbragstad)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The identity provider (federation) API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/identity_provider.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags: Edit Tag help

Lance Bragstad (lbragstad) on 2018-11-21

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619371

OpenStack Infra (hudson-openstack) wrote on 2018-11-21:

Related fix proposed to branch: master
Review: https://review.openstack.org/619372

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) wrote on 2018-11-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619373

OpenStack Infra (hudson-openstack) wrote on 2019-01-23: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619371
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=27bf50d127e0f194a839ccfd02ba510656811c84
Submitter: Zuul
Branch: master

commit 27bf50d127e0f194a839ccfd02ba510656811c84
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:38:21 2018 +0000

Update idp policies for system reader

    The idp policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list idps. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804517
Related-Bug: 1804516

Change-Id: I18c041846010cd985a4bd40aaac011354345fcfa

OpenStack Infra (hudson-openstack) wrote on 2019-02-18:

Reviewed: https://review.openstack.org/619372
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c347c4ff2f2e7c057da2ff0c658a3079580df41f
Submitter: Zuul
Branch: master

commit c347c4ff2f2e7c057da2ff0c658a3079580df41f
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:52:20 2018 +0000

Add idp tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable idp operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable idp operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804517
Related-Bug: 1804516

Change-Id: Ib738c18380f567d0a0b24e218350c9e1cd33691f

OpenStack Infra (hudson-openstack) wrote on 2019-02-22: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/619373
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a4c5d804395f20d0c8832ae6ed9a7594926bf981
Submitter: Zuul
Branch: master

commit a4c5d804395f20d0c8832ae6ed9a7594926bf981
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:58:24 2018 +0000

Update idp policies for system admin

    This change makes the policy definitions for admin idp operations
    consistent with the other idp policies. Subsequent patches will
    incorporate:

- domain users test coverage
- project users test coverage

Related-Bug: 1804517
Closes-Bug: 1804516

Change-Id: I6d6a19d95d8970362993c83e70cf23c989ae45e3

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-02-22

Changed in keystone:
milestone:	none → stein-3

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers