OpenStack Identity (keystone)

Domain config API doesn't use default roles

Bug #1805366 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The domain configuration API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/domain_config.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

tags:	added: default-roles policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-07-23:

We talked about this during the keystone virtual midcycle and wanted to note that the domain config API also has an API/policy that allows users to pull password security requirements for a domain.

This API and policy should be updated to also support domain-scoped tokens. Otherwise, the entire domain config API is system-specific and should remain that way in the future for security reasons (a domain admin shouldn't be able to set deployment configuration).

https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/domain_config.py#L74-L101

Vishakha Agarwal (vishakha.agarwal) on 2019-08-26

Changed in keystone:
assignee:	nobody → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-02: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/679623

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-03:

Fix proposed to branch: master
Review: https://review.opendev.org/679750

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-04:

Fix proposed to branch: master
Review: https://review.opendev.org/679966

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-05:

Fix proposed to branch: master
Review: https://review.opendev.org/680341

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-05:

Fix proposed to branch: master
Review: https://review.opendev.org/680357

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/679623
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cc40014ec89afb55d054480057a323fee764d3b2
Submitter: Zuul
Branch: master

commit cc40014ec89afb55d054480057a323fee764d3b2
Author: Vishakha Agarwal <email address hidden>
Date: Mon Sep 2 16:44:58 2019 +0530

Implement system reader & member for domain config API

    This change modifies the policies for domain config
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

Subsequent patches will -

     - add functionality for system admin for domain config API
     - domains user test coverage for domain config API
     - project user test coverage for domain config API
     - Removing obsolete policies in policy.v3cloudsample.json file

Change-Id: I3c0a00d3fb77485f3e303f4ce5f90a7ea4301563
Partial-Bug: #1805366

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13:

Reviewed: https://review.opendev.org/679750
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d278ad38adac8020036843706e1472b830d8b1f4
Submitter: Zuul
Branch: master

commit d278ad38adac8020036843706e1472b830d8b1f4
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 3 16:32:47 2019 +0530

Implement system admin for domain config API

    This change modifies the policies for domain config
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

Subsequent patches will -

     - domains user test coverage for domain config API
     - project user test coverage for domain config API
     - Removing obsolete policies in policy.v3cloudsample.json file

Change-Id: I0a35fb8e5686c005a02268fdd512885b6f052447
Partial-Bug: #1805366

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13:

Reviewed: https://review.opendev.org/679966
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5cefb91c41c1a3b45977ff6ee06d2541cd0c0aa4
Submitter: Zuul
Branch: master

commit 5cefb91c41c1a3b45977ff6ee06d2541cd0c0aa4
Author: Vishakha Agarwal <email address hidden>
Date: Wed Sep 4 16:39:25 2019 +0530

Add Domain User for security compliance domain config API

    Allowing users with domain-scoped tokens to access
    the security compliance domain config policy which
    was previously accessible only to project and system-users.
    It includes the test cases too.

Subsequent patches will -

- project user test coverage for domain config API
- Removing obsolete policies in policy.v3cloudsample.json file

Change-Id: I3dd3334aa704ff2008a3d395d8563e5fb91fc1a6
Partial-Bug: #1805366

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-13:

#10

Reviewed: https://review.opendev.org/680341
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f3e6bba5dc5be42582bbf4c913a67ca9c7a7af16
Submitter: Zuul
Branch: master

commit f3e6bba5dc5be42582bbf4c913a67ca9c7a7af16
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 11:41:51 2019 +0530

Add Project User coverage for domain config API

This patch adds the test cases for project user coverage for
domain config API.

Subsequent patches will -

- Removing obsolete policies in policy.v3cloudsample.json file

Change-Id: If6a5ccca76e378b10d4af6a5f46dbaaa23b290bc
Partial-Bug: #1805366

OpenStack Infra (hudson-openstack) on 2019-09-13

Changed in keystone:
assignee:	Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

OpenStack Infra (hudson-openstack) on 2019-09-14

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-15:

#11

Reviewed: https://review.opendev.org/680357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=566f8e734d1b5416305b7ab04c6eda48f40e576b
Submitter: Zuul
Branch: master

commit 566f8e734d1b5416305b7ab04c6eda48f40e576b
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 15:09:40 2019 +0530

Remove system Domain Config from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

    Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
    Partial-Bug: #1806762
    Closes-Bug: #1805366

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

#12

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.