OpenStack Identity (keystone)

The v3 role API should account for different scopes

Bug #1805400 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Colleen Murphy
OpenStack Identity (keystone) stein-rc2

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describe how the v3 role API should behave with tokens from multiple scopes.

GET /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to check any role in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to check any domain role within that domain (domain-scoped)

GET /roles

- Someone with a system role assignment that passes the check string should be able to list all roles in the deployment (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to list all domain role within a domain (domain-scoped)

POST /roles

- Someone with a system role assignment that passes the check string should be able to create roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to create a role within the domain (domain-scoped)

DELETE /roles/{role_id}

- Someone with a system role assignment that passes the check string should be able to remove roles (system-scoped)
- Someone with a domain role assignment that passes the check string should be able to remove a domain role (domain-scoped)

[0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n21

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: policy system-scope
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

https://review.openstack.org/#/c/622526/ and https://review.openstack.org/#/c/622524/ partially fix this.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/622527
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=31eecfb2a42e44899ea2f72866be33cc7700db65
Submitter: Zuul
Branch: master

commit 31eecfb2a42e44899ea2f72866be33cc7700db65
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:16:34 2018 +0000

    Add tests for domain users interacting with roles

    This commit adds explicit tests that show how domain users
    are expected to behave with global roles. A subsequent patch
    will do the same for project users.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
    domain users were allowed to get and list global roles. So were
    project users. This behavior is changing because global roles are
    considered global resources of the deployment, and they should be
    managed by system users. Domain users should be able to add and remove
    domain specific roles, which will come in a subsequent series of
    patches. This approach is being taken because it is a safer default
    for a system level resource (roles) and still allows the same
    functionality for domain users through domain-specific roles.

    Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
    Partial-Bug: 1806713
    Partial-Bug: 1805400

Colleen Murphy (krinkle)
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle)
Changed in keystone:
milestone: stein-rc1 → stein-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/680844

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/680844
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9b694fcd0846898be843d8779960de399497818d
Submitter: Zuul
Branch: master

commit 9b694fcd0846898be843d8779960de399497818d
Author: Colleen Murphy <email address hidden>
Date: Sat Sep 7 19:25:46 2019 -0700

    Implement system scope for domain role management

    The roles API was partially converted to use default roles and system
    scope but that work did not include converting the domain roles actions.
    This commit completes the rest of the work and closes out the system
    scope work for the roles API.

    Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47
    Closes-bug: #1805400
    Partial-bug: #1805880

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.