OpenStack Identity (keystone)

User API doesn't use default roles

Bug #1805406 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The users API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/user.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-11-27:

https://review.openstack.org/#/c/611179/ is a start on this work.

Changed in keystone:
status:	New → In Progress
importance:	Undecided → Medium
tags:	added: default-roles policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/623317

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-06:

Fix proposed to branch: master
Review: https://review.openstack.org/623318

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/605485
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=40d3458fcb29df1daefce9455d1778e800cac378
Submitter: Zuul
Branch: master

commit 40d3458fcb29df1daefce9455d1778e800cac378
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:39:56 2018 +0000

Implement system reader role for users

    This commit introduces the system reader role to the users API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own user reference.

Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I9c362e515772540dfa93d05781d955009b9a154d
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06:

Reviewed: https://review.openstack.org/623317
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f724f2d9387dc83148dada41a0f9acb294026c2
Submitter: Zuul
Branch: master

commit 4f724f2d9387dc83148dada41a0f9acb294026c2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:48:36 2018 +0000

Implement system member role user test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable user
    operations.

Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-06:

Reviewed: https://review.openstack.org/623318
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Submitter: Zuul
Branch: master

commit 29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:59:36 2018 +0000

Implement system admin role in users API

This commit introduces the system admin role to the users API,
making it consistent with other system-admin policy definitions.

Subsequent patches will build on this work to expose more
functionality to domain and project users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
    Closes-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-02-06

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.