Domain config API doesn't use default roles

Bug #1805366 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The domain configuration API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/domain_config.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

tags: added: default-roles policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Lance Bragstad (lbragstad) wrote :

We talked about this during the keystone virtual midcycle and wanted to note that the domain config API also has an API/policy that allows users to pull password security requirements for a domain.

This API and policy should be updated to also support domain-scoped tokens. Otherwise, the entire domain config API is system-specific and should remain that way in the future for security reasons (a domain admin shouldn't be able to set deployment configuration).

https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/domain_config.py#L74-L101

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/679623

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.opendev.org/679750

Fix proposed to branch: master
Review: https://review.opendev.org/679966

Fix proposed to branch: master
Review: https://review.opendev.org/680341

Fix proposed to branch: master
Review: https://review.opendev.org/680357

Reviewed: https://review.opendev.org/679623
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cc40014ec89afb55d054480057a323fee764d3b2
Submitter: Zuul
Branch: master

commit cc40014ec89afb55d054480057a323fee764d3b2
Author: Vishakha Agarwal <email address hidden>
Date: Mon Sep 2 16:44:58 2019 +0530

    Implement system reader & member for domain config API

    This change modifies the policies for domain config
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin for domain config API
     - domains user test coverage for domain config API
     - project user test coverage for domain config API
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I3c0a00d3fb77485f3e303f4ce5f90a7ea4301563
    Partial-Bug: #1805366

Reviewed: https://review.opendev.org/679750
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d278ad38adac8020036843706e1472b830d8b1f4
Submitter: Zuul
Branch: master

commit d278ad38adac8020036843706e1472b830d8b1f4
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 3 16:32:47 2019 +0530

    Implement system admin for domain config API

    This change modifies the policies for domain config
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - domains user test coverage for domain config API
     - project user test coverage for domain config API
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I0a35fb8e5686c005a02268fdd512885b6f052447
    Partial-Bug: #1805366

Reviewed: https://review.opendev.org/679966
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5cefb91c41c1a3b45977ff6ee06d2541cd0c0aa4
Submitter: Zuul
Branch: master

commit 5cefb91c41c1a3b45977ff6ee06d2541cd0c0aa4
Author: Vishakha Agarwal <email address hidden>
Date: Wed Sep 4 16:39:25 2019 +0530

    Add Domain User for security compliance domain config API

    Allowing users with domain-scoped tokens to access
    the security compliance domain config policy which
    was previously accessible only to project and system-users.
    It includes the test cases too.

    Subsequent patches will -

     - project user test coverage for domain config API
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I3dd3334aa704ff2008a3d395d8563e5fb91fc1a6
    Partial-Bug: #1805366

Reviewed: https://review.opendev.org/680341
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3e6bba5dc5be42582bbf4c913a67ca9c7a7af16
Submitter: Zuul
Branch: master

commit f3e6bba5dc5be42582bbf4c913a67ca9c7a7af16
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 11:41:51 2019 +0530

    Add Project User coverage for domain config API

    This patch adds the test cases for project user coverage for
    domain config API.

    Subsequent patches will -

     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: If6a5ccca76e378b10d4af6a5f46dbaaa23b290bc
    Partial-Bug: #1805366

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Reviewed: https://review.opendev.org/680357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=566f8e734d1b5416305b7ab04c6eda48f40e576b
Submitter: Zuul
Branch: master

commit 566f8e734d1b5416305b7ab04c6eda48f40e576b
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 15:09:40 2019 +0530

    Remove system Domain Config from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
    Partial-Bug: #1806762
    Closes-Bug: #1805366

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers