OpenStack Identity (keystone)

Project API doesn't use default roles

Bug #1805403 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-2

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The projects API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/project.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/624215

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10:

Related fix proposed to branch: master
Review: https://review.openstack.org/624216

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/624217

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-09: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/624215
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Submitter: Zuul
Branch: master

commit b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:18:42 2018 +0000

Implement system reader role for projects

    This commit introduces the system reader role to the project API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default.

Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I089ada1e314688e60f9041095138bc53cd465fa0
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-09:

Reviewed: https://review.openstack.org/624216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6037ac58de0fe599df9220a068e1ef054194187a
Submitter: Zuul
Branch: master

commit 6037ac58de0fe599df9220a068e1ef054194187a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:45:25 2018 +0000

Implement system member role project test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable project
    operations.

Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I69ff308ea528d54e0db8e475d047e3dbf356ed2f
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-09: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/624217
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=718d122fe1595d59b4eab99c3a744bfe34941369
Submitter: Zuul
Branch: master

commit 718d122fe1595d59b4eab99c3a744bfe34941369
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 20:48:11 2019 +0000

Implement system admin role in project API

This commit introduces the system admin role to the projects API,
making it consistent with other system-admin policy definitions.

Subsequent patches will build on this work to expose more
functionality to domain users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: Iceed65d34a8a7cff8841000d7703b1a48e95bb24
    Closes-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Lance Bragstad (lbragstad) on 2019-01-28

Changed in keystone:
milestone:	none → stein-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.