Project API doesn't use default roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Medium
|
Lance Bragstad |
Bug Description
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The projects API doesn't incorporate these defaults into its default policies [1], but it should.
[0] http://
[1] http://
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: default-roles policy |
OpenStack Infra (hudson-openstack) wrote : | #2 |
Related fix proposed to branch: master
Review: https:/
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Triaged → In Progress |
Fix proposed to branch: master
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit b35928d5dcd8615
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:18:42 2018 +0000
Implement system reader role for projects
This commit introduces the system reader role to the project API, making
it easier for administrators to delegate subsets of responsibilities
to the API by default.
Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: I089ada1e314688
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #5 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 6037ac58de0fe59
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:45:25 2018 +0000
Implement system member role project test coverage
This commit introduces explicit test coverage for system members,
making sure they are allowed to do readable and not writable project
operations.
Subsequent patches will incorporate:
- system admin functionality
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: I69ff308ea528d5
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
Changed in keystone: | |
status: | In Progress → Fix Released |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 718d122fe1595d5
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 20:48:11 2019 +0000
Implement system admin role in project API
This commit introduces the system admin role to the projects API,
making it consistent with other system-admin policy definitions.
Subsequent patches will build on this work to expose more
functionality to domain users:
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: Iceed65d34a8a7c
Closes-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
Changed in keystone: | |
milestone: | none → stein-2 |
This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.
Related fix proposed to branch: master /review. openstack. org/624215
Review: https:/