Remove obsolete idp policies from policy.v3cloudsample.json

Bug #1804517 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the identity provider API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for identity providers.

[0] https://review.openstack.org/#/c/526145/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n198

tags: added: policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
description: updated

Related fix proposed to branch: master
Review: https://review.openstack.org/619372

Related fix proposed to branch: master
Review: https://review.openstack.org/619373

Related fix proposed to branch: master
Review: https://review.openstack.org/619374

Related fix proposed to branch: master
Review: https://review.openstack.org/619375

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/619371
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=27bf50d127e0f194a839ccfd02ba510656811c84
Submitter: Zuul
Branch: master

commit 27bf50d127e0f194a839ccfd02ba510656811c84
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:38:21 2018 +0000

    Update idp policies for system reader

    The idp policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list idps. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804517
     Related-Bug: 1804516

    Change-Id: I18c041846010cd985a4bd40aaac011354345fcfa

Reviewed: https://review.openstack.org/619372
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c347c4ff2f2e7c057da2ff0c658a3079580df41f
Submitter: Zuul
Branch: master

commit c347c4ff2f2e7c057da2ff0c658a3079580df41f
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:52:20 2018 +0000

    Add idp tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable idp operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable idp operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804517
     Related-Bug: 1804516

    Change-Id: Ib738c18380f567d0a0b24e218350c9e1cd33691f

Reviewed: https://review.openstack.org/619373
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a4c5d804395f20d0c8832ae6ed9a7594926bf981
Submitter: Zuul
Branch: master

commit a4c5d804395f20d0c8832ae6ed9a7594926bf981
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 21:58:24 2018 +0000

    Update idp policies for system admin

    This change makes the policy definitions for admin idp operations
    consistent with the other idp policies. Subsequent patches will
    incorporate:

     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804517
     Closes-Bug: 1804516

    Change-Id: I6d6a19d95d8970362993c83e70cf23c989ae45e3

Reviewed: https://review.openstack.org/619374
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=caf147ad0c3ebe0153f4c90c8d3cf43616ccf92b
Submitter: Zuul
Branch: master

commit caf147ad0c3ebe0153f4c90c8d3cf43616ccf92b
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 22:15:56 2018 +0000

    Add tests for domain users interacting with idps

    This commit introduces some tests that show how domain users are
    expected to behave with the federated identity provider API. A
    subsequent patch will do the same for project users.

    Change-Id: Ie48c8001aec9ef8f3e2d7540d7dd7e8e2231c811
    Related-Bug: 1804517

Reviewed: https://review.openstack.org/619375
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=774da554ea9ef2aaefa5ed5558bc857a9d5a0be9
Submitter: Zuul
Branch: master

commit 774da554ea9ef2aaefa5ed5558bc857a9d5a0be9
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 22:21:20 2018 +0000

    Add tests for project users interacting with idps

    This commit introduces some tests that show how project users
    are expected to behave with the federated identity provider API.
    A subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json file.

    Change-Id: If4a7547738e40c100330272a0fa587cf444174d0
    Related-Bug: 1804517

Reviewed: https://review.openstack.org/619376
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c0e6d4498a7e6091212b2618a537eb786595397c
Submitter: Zuul
Branch: master

commit c0e6d4498a7e6091212b2618a537eb786595397c
Author: Lance Bragstad <email address hidden>
Date: Wed Nov 21 22:26:25 2018 +0000

    Remove idp policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default idp behavior
    by removing them.

    Change-Id: I6091d1cdbc4e1fa3a3d5f83a707f003416a43ea0
    Closes-Bug: 1804517

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-02-26
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers