Implied role API doesn't support default roles

Bug #1805371 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The implied roles API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/implied_role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

tags: added: default-roles policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Adam Young (ayoung) wrote :

Note that implied roles are used for domain specific roles. Thus, a domain admin should be able to create an rule where the explicit role is a domain specific role and the implied role is a global role or another domain specific role.

Given the following sample data, and assume role names and IDs are identical:

Domain Specific ROles:
Dom1R1
Dom2R2
Dom1R2
Dom2R2

Global Roles:
GlobalR1
Admin

Assignments:
User0 Admin Scoped to System
User1 Admin on Dom1
User2 Admin on Dom2

The following should be legal:
User1 can create a role Dom1R1 implies Admin
User1 can create a role Dom1R1 implies Dom1R2
User2 can create a role Dom2R1 implies Admin
User2 can create a role Dom2R2 implies Dom1R1
User0 can create a role Admin implies GlobalR1

The following should be enforced:
User1 cannot create a role Dom2R1 implies Admin
User1 cannot create a role Dom2R2 implies Dom1R1
User2 cannot create a role Dom1R1 implies Admin
User2 cannot create a role Dom1R1 implies Dom1R2
User1 or User2 cannnot create a role Admin implies GlobalR1

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers