Role API doesn't use default roles

Bug #1805402 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The roles API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: default-roles policy

Related fix proposed to branch: master
Review: https://review.openstack.org/622525

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/622524
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=567f305b41414f1468147e5eba903871bfbe7392
Submitter: Zuul
Branch: master

commit 567f305b41414f1468147e5eba903871bfbe7392
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:45:42 2018 +0000

    Update role policies for system reader

    The role policies were not taking the default roles work we did last
    release into account. This commit changes the default policies to rely
    on the ``reader`` role for getting and listing roles. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
    Related-Bug: 1805402
    Related-Bug: 1806713

Reviewed: https://review.openstack.org/622525
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd9d06c6379d1f9cb046ae49406330a31bb63a09
Submitter: Zuul
Branch: master

commit dd9d06c6379d1f9cb046ae49406330a31bb63a09
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:50:41 2018 +0000

    Add role tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable role operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable role operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
    Related-Bug: 1805402
    Related-Bug: 1806713

Reviewed: https://review.openstack.org/622526
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2ca4836a956b2d81728447d44efdff96e2ec39df
Submitter: Zuul
Branch: master

commit 2ca4836a956b2d81728447d44efdff96e2ec39df
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:07:07 2018 +0000

    Update role policies for system admin

    This change makes the policy definitions for admin role operations
    consistent with other role policies. Subsequent patches will
    incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
    Related-Bug: 1806713
    Closes-Bug: 1805402

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers