OpenStack Identity (keystone)

Limit and registered limit API don't use default roles

Bug #1805372 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The limits and registered limits API don't incorporate these defaults into its default policies [1], but they should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/limit.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

tags:	added: default-roles limits policy
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/621014

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29:

Related fix proposed to branch: master
Review: https://review.openstack.org/621015

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29:

Related fix proposed to branch: master
Review: https://review.openstack.org/621016

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29:

Related fix proposed to branch: master
Review: https://review.openstack.org/621020

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29:

Related fix proposed to branch: master
Review: https://review.openstack.org/621021

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/621022

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-06: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/621014
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Submitter: Zuul
Branch: master

commit 216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:20:07 2018 +0000

Add registered limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to registered
    limit information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project users test coverage

    Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-06:

Reviewed: https://review.openstack.org/621015
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8658011e41c05f79694eb4df306e07a0db1ce9a9
Submitter: Zuul
Branch: master

commit 8658011e41c05f79694eb4df306e07a0db1ce9a9
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:27:04 2018 +0000

Add registered limit tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable registered limit operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable registered limits
    operations. Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-12:

Reviewed: https://review.openstack.org/621016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f5e462844b6bebf112b54b75db87165f9e3919b
Submitter: Zuul
Branch: master

commit 4f5e462844b6bebf112b54b75db87165f9e3919b
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:36:36 2018 +0000

Update registered limit policies for system admin

    This change makes the policy definitions for admin registered limit
    operations consistent with the other registered limit
    policies. Subsequent patches will incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: If0352220670fdf5c98d0820309817416466b1466
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-23:

#10

Reviewed: https://review.openstack.org/621020
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Submitter: Zuul
Branch: master

commit 3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:45:44 2018 +0000

Add limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to limit
    information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

Related-Bug: 1805372
Related-Bug: 1805880

Change-Id: I085578e715939c9b472df65bb3a50c0acf62f37e

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-23:

#11

Reviewed: https://review.openstack.org/621021
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4cf85fcd5de2f903c085ee3a6edefd3091017880
Submitter: Zuul
Branch: master

commit 4cf85fcd5de2f903c085ee3a6edefd3091017880
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:53:34 2018 +0000

Add limit tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable limit operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable limit operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I186251e77bf1b6459e0660da72f57bcdf799f319
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-12: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/621022
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d4e40252884f054d692e82e170d3f69228ef7ee
Submitter: Zuul
Branch: master

commit 1d4e40252884f054d692e82e170d3f69228ef7ee
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:01:52 2018 +0000

Update limit policies for system admin

    This change makes the policy definitions for admin limit
    operations consistent with the other limit
    policies. Subsequent patches will incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: Id3f6159af505fbe81ff83cfaa346f2178f2d8e77
    Closes-Bug: 1805372
    Related-Bug: 1805880

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-02-14

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#13

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.