Remove obsolete mapping policies from policy.v3cloudsample.json

Bug #1804519 reported by Lance Bragstad on 2018-11-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the mapping API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for mappings.

[0] https://review.openstack.org/#/c/525701/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n210

tags: added: policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/619613

Related fix proposed to branch: master
Review: https://review.openstack.org/619614

Related fix proposed to branch: master
Review: https://review.openstack.org/619615

Related fix proposed to branch: master
Review: https://review.openstack.org/619616

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/619612
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cc256054c0d16801bcd241148793ab741e0d2995
Submitter: Zuul
Branch: master

commit cc256054c0d16801bcd241148793ab741e0d2995
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 14:58:58 2018 +0000

    Update mapping policies for system reader

    The mapping policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list mappings. Subsequent
    patches will incorporate:

     - system member
     - system admin
     - domain users
     - project users

     Related-Bug: 1804519
     Related-Bug: 1804521

    Change-Id: I2fe143dc75dd702665ea1ba643d4ae7700b748ac

Reviewed: https://review.openstack.org/619613
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Submitter: Zuul
Branch: master

commit 57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 15:58:23 2018 +0000

    Add mapping tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same. This is primarily because the member role is
    really meant for project members and project-specific resources, which
    doesn't apply to mapping resources.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

     Related-Bug: 1804519
     Related-Bug: 1804521

    Change-Id: I8a7ecd37f4db59fb8e10b68b03bbaea543484e6d

Reviewed: https://review.openstack.org/619614
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e94dff934a07aabfce5cf23943cb338b07093912
Submitter: Zuul
Branch: master

commit e94dff934a07aabfce5cf23943cb338b07093912
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:09:43 2018 +0000

    Update mapping policies for system admin

    This change makes the policy definitions for admin mapping operations
    consistent with the other mapping policies. Subsequent patches will
    incorporate:

     - testing for domain users
     - testing for project users

    Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6
    Related-Bug: 1804519
    Closes-Bug: 1804521

Reviewed: https://review.openstack.org/619615
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef529f29017b6d3ee79c9a1045da5d6d125f2df3
Submitter: Zuul
Branch: master

commit ef529f29017b6d3ee79c9a1045da5d6d125f2df3
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:20:13 2018 +0000

    Add tests for domain users interacting with mappings

    This commit introduces some tests that show how domain users are
    expected to behave with the federated mapping API. A
    subsequent patch will do the same for project users.

    Change-Id: I743100a8e3a5c272a96e6679243d30199461958f
    Related-Bug: 1804519

Reviewed: https://review.openstack.org/619616
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e4e258a5dccd6188564d54305ad6e3d1805c17d8
Submitter: Zuul
Branch: master

commit e4e258a5dccd6188564d54305ad6e3d1805c17d8
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:28:53 2018 +0000

    Add tests for project users interacting with mappings

    This commit introduces some tests that show how project users
    are expected to behave with the federated mappings API.
    A subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json file.

    Change-Id: I4c8d8dd8474a8374d68458e3903c379ee44bc731
    Related-Bug: 1804519

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/619617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=65f76c17220ae6db70daf34146ea43412f1ef79d
Submitter: Zuul
Branch: master

commit 65f76c17220ae6db70daf34146ea43412f1ef79d
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:34:40 2018 +0000

    Remove mapping policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default mapping
    behavior by removing them.

    Change-Id: Ie01b5a79aaf363b3783c92578f56654b993b5e76
    Closes-Bug: 1804519

Colleen Murphy (krinkle) on 2019-02-21
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers