Federated protocol API doesn't use default roles

Bug #1804523 reported by Lance Bragstad on 2018-11-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The protocol (federation) API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/protocol.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: default-roles policy

Related fix proposed to branch: master
Review: https://review.openstack.org/625353

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/625352
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a3c3a62a1287d4af398581ec65549a314b061358
Submitter: Zuul
Branch: master

commit a3c3a62a1287d4af398581ec65549a314b061358
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 20:29:26 2018 +0000

    Update protocol policies for system reader

    The protocol policies were not taking the default roles work
    we did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for get and list protocols.
    Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

    Change-Id: I4e8887cffb882ab7a52ff6249f98fd026fc72dce
    Related-Bug: 1804523
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/625353
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=85b87fa4795b94d918c88c74c1231468d61f0acc
Submitter: Zuul
Branch: master

commit 85b87fa4795b94d918c88c74c1231468d61f0acc
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:00:05 2018 +0000

    Add protocol tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable protocol operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable protocol
    operations. Subsequent patches will incorporate.

     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804523
     Related-Bug: 1806762

    Change-Id: I55751a045cdb315c7534ee84a5c1fe5fb18aa65f

Reviewed: https://review.openstack.org/625354
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=87d93db90950065410e8fcb2866effc96c7153e4
Submitter: Zuul
Branch: master

commit 87d93db90950065410e8fcb2866effc96c7153e4
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:13:35 2018 +0000

    Implement system admin role in protocol API

    This commit introduces the system admin role to the protocol API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain and project users:

     - domain user test coverage
     - project user test coverage

    Change-Id: I9384e0fdd95545f1afef65a5e97e8513b709f150
    Closes-Bug: 1804523
    Related-Bug: 1806762

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-02-28
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers