Limit and registered limit API don't use default roles

Bug #1805372 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The limits and registered limits API don't incorporate these defaults into its default policies [1], but they should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/limit.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

tags: added: default-roles limits policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/621015

Related fix proposed to branch: master
Review: https://review.openstack.org/621016

Related fix proposed to branch: master
Review: https://review.openstack.org/621020

Related fix proposed to branch: master
Review: https://review.openstack.org/621021

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/621014
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Submitter: Zuul
Branch: master

commit 216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:20:07 2018 +0000

    Add registered limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to registered
    limit information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project users test coverage

    Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621015
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8658011e41c05f79694eb4df306e07a0db1ce9a9
Submitter: Zuul
Branch: master

commit 8658011e41c05f79694eb4df306e07a0db1ce9a9
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:27:04 2018 +0000

    Add registered limit tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable registered limit operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable registered limits
    operations. Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f5e462844b6bebf112b54b75db87165f9e3919b
Submitter: Zuul
Branch: master

commit 4f5e462844b6bebf112b54b75db87165f9e3919b
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:36:36 2018 +0000

    Update registered limit policies for system admin

    This change makes the policy definitions for admin registered limit
    operations consistent with the other registered limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: If0352220670fdf5c98d0820309817416466b1466
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621020
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Submitter: Zuul
Branch: master

commit 3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:45:44 2018 +0000

    Add limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to limit
    information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Related-Bug: 1805372
    Related-Bug: 1805880

    Change-Id: I085578e715939c9b472df65bb3a50c0acf62f37e

Reviewed: https://review.openstack.org/621021
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4cf85fcd5de2f903c085ee3a6edefd3091017880
Submitter: Zuul
Branch: master

commit 4cf85fcd5de2f903c085ee3a6edefd3091017880
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:53:34 2018 +0000

    Add limit tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable limit operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable limit operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I186251e77bf1b6459e0660da72f57bcdf799f319
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621022
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d4e40252884f054d692e82e170d3f69228ef7ee
Submitter: Zuul
Branch: master

commit 1d4e40252884f054d692e82e170d3f69228ef7ee
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:01:52 2018 +0000

    Update limit policies for system admin

    This change makes the policy definitions for admin limit
    operations consistent with the other limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: Id3f6159af505fbe81ff83cfaa346f2178f2d8e77
    Closes-Bug: 1805372
    Related-Bug: 1805880

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers