The v3 role API should account for different scopes

Bug #1805400 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describe how the v3 role API should behave with tokens from multiple scopes.

GET /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

GET /roles

- Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

POST /roles

- Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

DELETE /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)

[0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: policy system-scope
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/622527
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=31eecfb2a42e44899ea2f72866be33cc7700db65
Submitter: Zuul
Branch: master

commit 31eecfb2a42e44899ea2f72866be33cc7700db65
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:16:34 2018 +0000

    Add tests for domain users interacting with roles

    This commit adds explicit tests that show how domain users
    are expected to behave with global roles. A subsequent patch
    will do the same for project users.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
    domain users were allowed to get and list global roles. So were
    project users. This behavior is changing because global roles are
    considered global resources of the deployment, and they should be
    managed by system users. Domain users should be able to add and remove
    domain specific roles, which will come in a subsequent series of
    patches. This approach is being taken because it is a safer default
    for a system level resource (roles) and still allows the same
    functionality for domain users through domain-specific roles.

    Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
    Partial-Bug: 1806713
    Partial-Bug: 1805400

Colleen Murphy (krinkle) on 2019-03-12
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle) on 2019-03-20
Changed in keystone:
milestone: stein-rc1 → stein-rc2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers