Oauth1 Consumer API doesn't use default roles

Bug #1805363 reported by Lance Bragstad on 2018-11-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Colleen Murphy

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should.

The oauth consumer API is system-specific, and shouldn't be accessible to domain or project users. For example, system administrators should be able to create, delete, and update consumers, while members and readers should only be able to get and list consumers.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: default-roles policy
description: updated
Lance Bragstad (lbragstad) wrote :

We discussed this during the kesytone virtual midcycle. Bumping the priority of this to Low since we don't know of anyone using oauth1.

It would still be good to add support for member and reader roles, though.

Changed in keystone:
importance: Medium → Low

Fix proposed to branch: master
Review: https://review.opendev.org/680793

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.opendev.org/680794

Reviewed: https://review.opendev.org/680793
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7a6c020a549e63fbfebd72e5d945d2b1d5204990
Submitter: Zuul
Branch: master

commit 7a6c020a549e63fbfebd72e5d945d2b1d5204990
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 19:03:33 2019 -0700

    Implement system reader for OAUTH1 consumers

    This change updates the OAUTH1 policies to understand the reader role.
    This also adds tests for both the system reader and system member users.

    Change-Id: I330d4d3d7373cdafdce207acb1cbab4e774bac65
    Partial-bug: #1805363

Reviewed: https://review.opendev.org/680794
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Submitter: Zuul
Branch: master

commit 4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 19:25:44 2019 -0700

    Implement system admin for OAUTH1 consumers

    This change deprecates the rule:admin_required policies for the
    create/update/delete actions of the OAUTH consumer API and replaces it
    with the system-specific check strings for the admin role.

    Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5
    Closes-bug: #1805363

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers