OpenStack Identity (keystone)

Mapping API doesn't use default roles

Bug #1804521 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The federated mapping API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/mapping.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/619612

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22:

Related fix proposed to branch: master
Review: https://review.openstack.org/619613

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-22: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/619614

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-01: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/619612
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cc256054c0d16801bcd241148793ab741e0d2995
Submitter: Zuul
Branch: master

commit cc256054c0d16801bcd241148793ab741e0d2995
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 14:58:58 2018 +0000

Update mapping policies for system reader

    The mapping policies were not taking the default roles work we did
    last release into account. This commit changes the default policies
    to rely on the ``reader`` role for get and list mappings. Subsequent
    patches will incorporate:

     - system member
     - system admin
     - domain users
     - project users

Related-Bug: 1804519
Related-Bug: 1804521

Change-Id: I2fe143dc75dd702665ea1ba643d4ae7700b748ac

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18:

Reviewed: https://review.openstack.org/619613
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Submitter: Zuul
Branch: master

commit 57b3eb01623d286a5f3f69865a3f92178e6a5d8d
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 15:58:23 2018 +0000

Add mapping tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same. This is primarily because the member role is
    really meant for project members and project-specific resources, which
    doesn't apply to mapping resources.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable mapping operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

Related-Bug: 1804519
Related-Bug: 1804521

Change-Id: I8a7ecd37f4db59fb8e10b68b03bbaea543484e6d

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/619614
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e94dff934a07aabfce5cf23943cb338b07093912
Submitter: Zuul
Branch: master

commit e94dff934a07aabfce5cf23943cb338b07093912
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 22 16:09:43 2018 +0000

Update mapping policies for system admin

    This change makes the policy definitions for admin mapping operations
    consistent with the other mapping policies. Subsequent patches will
    incorporate:

- testing for domain users
- testing for project users

    Change-Id: Iad665112c73de41e2c1727a557fe5255e89b3fb6
    Related-Bug: 1804519
    Closes-Bug: 1804521

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-02-18

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.