Limit and registered limit API don't use default roles

Bug #1805372 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The limits and registered limits API don't incorporate these defaults into its default policies [1], but they should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/limit.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

tags: added: default-roles limits policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/621015

Related fix proposed to branch: master
Review: https://review.openstack.org/621016

Related fix proposed to branch: master
Review: https://review.openstack.org/621020

Related fix proposed to branch: master
Review: https://review.openstack.org/621021

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/621014
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Submitter: Zuul
Branch: master

commit 216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:20:07 2018 +0000

    Add registered limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to registered
    limit information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project users test coverage

    Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621015
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8658011e41c05f79694eb4df306e07a0db1ce9a9
Submitter: Zuul
Branch: master

commit 8658011e41c05f79694eb4df306e07a0db1ce9a9
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:27:04 2018 +0000

    Add registered limit tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable registered limit operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable registered limits
    operations. Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
    Related-Bug: 1805372
    Related-Bug: 1805880

Reviewed: https://review.openstack.org/621016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f5e462844b6bebf112b54b75db87165f9e3919b
Submitter: Zuul
Branch: master

commit 4f5e462844b6bebf112b54b75db87165f9e3919b
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:36:36 2018 +0000

    Update registered limit policies for system admin

    This change makes the policy definitions for admin registered limit
    operations consistent with the other registered limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: If0352220670fdf5c98d0820309817416466b1466
    Related-Bug: 1805372
    Related-Bug: 1805880

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers