OpenStack Identity (keystone)

Oauth1 Consumer API doesn't use default roles

Bug #1805363 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Colleen Murphy

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The consumer API doesn't incorporate these defaults into its default policies [1], but it should.

The oauth consumer API is system-specific, and shouldn't be accessible to domain or project users. For example, system administrators should be able to create, delete, and update consumers, while members and readers should only be able to get and list consumers.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/consumer.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

See original description

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

Lance Bragstad (lbragstad) on 2019-03-05

description:

updated

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-07-23:

We discussed this during the kesytone virtual midcycle. Bumping the priority of this to Low since we don't know of anyone using oauth1.

It would still be good to add support for member and reader roles, though.

Changed in keystone:
importance:	Medium → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-07: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/680793

Changed in keystone:
assignee:	nobody → Colleen Murphy (krinkle)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-07:

Fix proposed to branch: master
Review: https://review.opendev.org/680794

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/680793
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7a6c020a549e63fbfebd72e5d945d2b1d5204990
Submitter: Zuul
Branch: master

commit 7a6c020a549e63fbfebd72e5d945d2b1d5204990
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 19:03:33 2019 -0700

Implement system reader for OAUTH1 consumers

This change updates the OAUTH1 policies to understand the reader role.
This also adds tests for both the system reader and system member users.

Change-Id: I330d4d3d7373cdafdce207acb1cbab4e774bac65
Partial-bug: #1805363

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-14:

Reviewed: https://review.opendev.org/680794
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Submitter: Zuul
Branch: master

commit 4f0c7394ede6ad479ff911bc373370f8b5e2f6f1
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 19:25:44 2019 -0700

Implement system admin for OAUTH1 consumers

    This change deprecates the rule:admin_required policies for the
    create/update/delete actions of the OAUTH consumer API and replaces it
    with the system-specific check strings for the admin role.

Change-Id: Id6742ff295ce206d0a4965465b0e9ec2ceab7cd5
Closes-bug: #1805363