User API doesn't use default roles

Bug #1805406 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The users API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/user.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Lance Bragstad (lbragstad) wrote :
Changed in keystone:
status: New → In Progress
importance: Undecided → Medium
tags: added: default-roles policy

Fix proposed to branch: master
Review: https://review.openstack.org/623317

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)

Fix proposed to branch: master
Review: https://review.openstack.org/623318

Reviewed: https://review.openstack.org/605485
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=40d3458fcb29df1daefce9455d1778e800cac378
Submitter: Zuul
Branch: master

commit 40d3458fcb29df1daefce9455d1778e800cac378
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:39:56 2018 +0000

    Implement system reader role for users

    This commit introduces the system reader role to the users API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own user reference.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I9c362e515772540dfa93d05781d955009b9a154d
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623317
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f724f2d9387dc83148dada41a0f9acb294026c2
Submitter: Zuul
Branch: master

commit 4f724f2d9387dc83148dada41a0f9acb294026c2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:48:36 2018 +0000

    Implement system member role user test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable user
    operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623318
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Submitter: Zuul
Branch: master

commit 29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:59:36 2018 +0000

    Implement system admin role in users API

    This commit introduces the system admin role to the users API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain and project users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
    Closes-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers