OpenStack Identity (keystone)

The policy and policy endpoint APIs don't use default roles

Bug #1805409 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The policy and policy endpoint APIs don't incorporate these defaults into its default policies [1][2], but it should.

However, both of these APIs are deprecated, which doesn't make this a high priority item. Opening this bug to be consistent in documenting gaps in default role implementations across keystone.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/policy.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927
[2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/policy_association.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
tags: added: default-roles policy
Revision history for this message
Lance Bragstad (lbragstad) wrote :

This could also include support for only system-scope, since domain or project scoped users shouldn't be accessing this endpoint.

Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/676162

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/676355

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/677781

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/677782

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/677961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/677997

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/678467

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/678471

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/676162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8f68b72e861a07675e6709307267cb31c7b96d00
Submitter: Zuul
Branch: master

commit 8f68b72e861a07675e6709307267cb31c7b96d00
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 16:38:37 2019 +0530

    Implement system reader and member for policies

    This change modifies the policies for policies
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin
     - domains user test coverage
     - project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: Ie696616aa594025ba83d6f70ce98e4b48e20b5df
    Partial-Bug: #1805409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/676355
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd15bcd66f76156d771b3a844c351119c48f8d15
Submitter: Zuul
Branch: master

commit fd15bcd66f76156d771b3a844c351119c48f8d15
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 14 11:44:13 2019 +0530

    Implement system admin for policies

    This change modifies the policies for policies
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - domains user test coverage
     - project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I7559159f81d78fe6d7d8917a2926f9e3073e7b81
    Partial-Bug: #1805409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/677781
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f45a6f99d11df7b3de6063d108b12bb8fb1d1854
Submitter: Zuul
Branch: master

commit f45a6f99d11df7b3de6063d108b12bb8fb1d1854
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 21 21:43:09 2019 +0530

    Add tests for domain users interacting with policies

    This commit introduces some tests that show how domain users are
    expected to behave with the policies API. A subsequent
    patches will -

     - add project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I44b0553cc9c590cb4d5ec5d037a17e4ea9cb8667
    Partial-Bug: #1805409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/677782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0e52753898ba307306f8a9b47a217e5950dcde28
Submitter: Zuul
Branch: master

commit 0e52753898ba307306f8a9b47a217e5950dcde28
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 21 21:52:59 2019 +0530

    Add tests for project users interacting with policies

    This commit introduces some tests that show how project users
    are expected to behave with the policies API.

    A subsequent patches will -

     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: Ia234baf3cd361ef62e7ed59885ca9b1a610eaaa0
    Partial-Bug: #1805409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/677961
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b831856af3a3cc3c2610e7fd44080c18f4ff77fb
Submitter: Zuul
Branch: master

commit b831856af3a3cc3c2610e7fd44080c18f4ff77fb
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 22 16:25:47 2019 +0530

    Implement system reader & member for policy association

    This change modifies the policies for policy association
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I0b6ddc961d65301b4b95b0ba1c2515ef4a782d55
    Partial-Bug: #1805409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/677997
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2d185a5a91e3057be8e38afae1bfbfc02ef2899e
Submitter: Zuul
Branch: master

commit 2d185a5a91e3057be8e38afae1bfbfc02ef2899e
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 22 17:51:31 2019 +0530

    Implement system admin for policy association

    This change modifies the policies for policy
    association API to be more self-service by properly
    checking for system scopes. It also includes the test cases.

    Subsequent patches will -

     - add domains user test coverage for policy association
     - add project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: I7ed54a378dc20680cd987142c71afc36cb1dbd25

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/678467
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2af630f06aa8c4636d8d705d88ea17656e5f84a1
Submitter: Zuul
Branch: master

commit 2af630f06aa8c4636d8d705d88ea17656e5f84a1
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:03:52 2019 +0530

    Add tests for domain users for policy association

    This commit introduces some tests that show how domain users are
    expected to behave with the policy assocation API. A subsequent
    patches will -

     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: If5953e3322c5f65deef0843c1be78ccf0df5b1ce

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/678471
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=296ea0f6d9280798c9dbeabf50641bc413e1a627
Submitter: Zuul
Branch: master

commit 296ea0f6d9280798c9dbeabf50641bc413e1a627
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:15:25 2019 +0530

    Add tests for project users for policy association

    This commit introduces some tests that show how project users
    are expected to behave with the policy association API.

    A subsequent patch will -

    - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: If0ac329ef42bb3671f15bc90670da12297870f8c

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/678475
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=704cb2590e2f4496a73a79b3eeb22656083b4081
Submitter: Zuul
Branch: master

commit 704cb2590e2f4496a73a79b3eeb22656083b4081
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:58:55 2019 +0530

    Remove system policy and its association from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
    Partial-Bug: #1806762
    Closes-Bug: #1805409

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.