The policy and policy endpoint APIs don't use default roles

Bug #1805409 reported by Lance Bragstad on 2018-11-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The policy and policy endpoint APIs don't incorporate these defaults into its default policies [1][2], but it should.

However, both of these APIs are deprecated, which doesn't make this a high priority item. Opening this bug to be consistent in documenting gaps in default role implementations across keystone.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/policy.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927
[2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/policy_association.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
tags: added: default-roles policy
Lance Bragstad (lbragstad) wrote :

This could also include support for only system-scope, since domain or project scoped users shouldn't be accessing this endpoint.

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/676162

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.opendev.org/676355

Fix proposed to branch: master
Review: https://review.opendev.org/677781

Fix proposed to branch: master
Review: https://review.opendev.org/677782

Fix proposed to branch: master
Review: https://review.opendev.org/677961

Fix proposed to branch: master
Review: https://review.opendev.org/677997

Fix proposed to branch: master
Review: https://review.opendev.org/678467

Fix proposed to branch: master
Review: https://review.opendev.org/678471

Reviewed: https://review.opendev.org/676162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8f68b72e861a07675e6709307267cb31c7b96d00
Submitter: Zuul
Branch: master

commit 8f68b72e861a07675e6709307267cb31c7b96d00
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 16:38:37 2019 +0530

    Implement system reader and member for policies

    This change modifies the policies for policies
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin
     - domains user test coverage
     - project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: Ie696616aa594025ba83d6f70ce98e4b48e20b5df
    Partial-Bug: #1805409

Reviewed: https://review.opendev.org/676355
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd15bcd66f76156d771b3a844c351119c48f8d15
Submitter: Zuul
Branch: master

commit fd15bcd66f76156d771b3a844c351119c48f8d15
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 14 11:44:13 2019 +0530

    Implement system admin for policies

    This change modifies the policies for policies
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - domains user test coverage
     - project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I7559159f81d78fe6d7d8917a2926f9e3073e7b81
    Partial-Bug: #1805409

Reviewed: https://review.opendev.org/677781
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f45a6f99d11df7b3de6063d108b12bb8fb1d1854
Submitter: Zuul
Branch: master

commit f45a6f99d11df7b3de6063d108b12bb8fb1d1854
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 21 21:43:09 2019 +0530

    Add tests for domain users interacting with policies

    This commit introduces some tests that show how domain users are
    expected to behave with the policies API. A subsequent
    patches will -

     - add project user test coverage
     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I44b0553cc9c590cb4d5ec5d037a17e4ea9cb8667
    Partial-Bug: #1805409

Reviewed: https://review.opendev.org/677782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0e52753898ba307306f8a9b47a217e5950dcde28
Submitter: Zuul
Branch: master

commit 0e52753898ba307306f8a9b47a217e5950dcde28
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 21 21:52:59 2019 +0530

    Add tests for project users interacting with policies

    This commit introduces some tests that show how project users
    are expected to behave with the policies API.

    A subsequent patches will -

     - add functionality for system reader for policy association
     - add functionality for system member for policy association
     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: Ia234baf3cd361ef62e7ed59885ca9b1a610eaaa0
    Partial-Bug: #1805409

Reviewed: https://review.opendev.org/677961
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b831856af3a3cc3c2610e7fd44080c18f4ff77fb
Submitter: Zuul
Branch: master

commit b831856af3a3cc3c2610e7fd44080c18f4ff77fb
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 22 16:25:47 2019 +0530

    Implement system reader & member for policy association

    This change modifies the policies for policy association
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin for policy association
     - domains user test coverage for policy association
     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file

    Change-Id: I0b6ddc961d65301b4b95b0ba1c2515ef4a782d55
    Partial-Bug: #1805409

Reviewed: https://review.opendev.org/677997
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2d185a5a91e3057be8e38afae1bfbfc02ef2899e
Submitter: Zuul
Branch: master

commit 2d185a5a91e3057be8e38afae1bfbfc02ef2899e
Author: Vishakha Agarwal <email address hidden>
Date: Thu Aug 22 17:51:31 2019 +0530

    Implement system admin for policy association

    This change modifies the policies for policy
    association API to be more self-service by properly
    checking for system scopes. It also includes the test cases.

    Subsequent patches will -

     - add domains user test coverage for policy association
     - add project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: I7ed54a378dc20680cd987142c71afc36cb1dbd25

Reviewed: https://review.opendev.org/678467
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2af630f06aa8c4636d8d705d88ea17656e5f84a1
Submitter: Zuul
Branch: master

commit 2af630f06aa8c4636d8d705d88ea17656e5f84a1
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:03:52 2019 +0530

    Add tests for domain users for policy association

    This commit introduces some tests that show how domain users are
    expected to behave with the policy assocation API. A subsequent
    patches will -

     - project user test coverage for policy association
     - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: If5953e3322c5f65deef0843c1be78ccf0df5b1ce

Reviewed: https://review.opendev.org/678471
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=296ea0f6d9280798c9dbeabf50641bc413e1a627
Submitter: Zuul
Branch: master

commit 296ea0f6d9280798c9dbeabf50641bc413e1a627
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:15:25 2019 +0530

    Add tests for project users for policy association

    This commit introduces some tests that show how project users
    are expected to behave with the policy association API.

    A subsequent patch will -

    - Removing obsolete policies in policy.v3cloudsample.json file
    Partial-Bug: #1805409

    Change-Id: If0ac329ef42bb3671f15bc90670da12297870f8c

Reviewed: https://review.opendev.org/678475
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=704cb2590e2f4496a73a79b3eeb22656083b4081
Submitter: Zuul
Branch: master

commit 704cb2590e2f4496a73a79b3eeb22656083b4081
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:58:55 2019 +0530

    Remove system policy and its association from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
    Partial-Bug: #1806762
    Closes-Bug: #1805409

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers