OpenStack Identity (keystone)

Role API doesn't use default roles

Bug #1805402 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The roles API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/role.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/622524

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04:

Related fix proposed to branch: master
Review: https://review.openstack.org/622525

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/622526

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-07: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/622524
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=567f305b41414f1468147e5eba903871bfbe7392
Submitter: Zuul
Branch: master

commit 567f305b41414f1468147e5eba903871bfbe7392
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:45:42 2018 +0000

Update role policies for system reader

    The role policies were not taking the default roles work we did last
    release into account. This commit changes the default policies to rely
    on the ``reader`` role for getting and listing roles. Subsequent
    patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I3e373c437ff0ffddba10bde59fd7f18f8be6498c
    Related-Bug: 1805402
    Related-Bug: 1806713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-08:

Reviewed: https://review.openstack.org/622525
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd9d06c6379d1f9cb046ae49406330a31bb63a09
Submitter: Zuul
Branch: master

commit dd9d06c6379d1f9cb046ae49406330a31bb63a09
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 15:50:41 2018 +0000

Add role tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable role operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable role operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I2bc3b65b6ef16adaa95e6299ac205b26797f7185
    Related-Bug: 1805402
    Related-Bug: 1806713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-27: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/622526
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2ca4836a956b2d81728447d44efdff96e2ec39df
Submitter: Zuul
Branch: master

commit 2ca4836a956b2d81728447d44efdff96e2ec39df
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:07:07 2018 +0000

Update role policies for system admin

    This change makes the policy definitions for admin role operations
    consistent with other role policies. Subsequent patches will
    incorporate:

- domain user test coverage
- project user test coverage

    Change-Id: I35a2af10d47e000ee6257ce16c52c7e49a62b033
    Related-Bug: 1806713
    Closes-Bug: 1805402

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-02-27

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.