OpenStack Identity (keystone)

Remove obsolete limit and registered limit policies from policy.v3cloudsample.json

Bug #1805880 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad

Bug Description

Once support for scope types landed in the limit and registered limit API policies, the policies in policy.v3cloudsample.json became obsolete [0].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for limits and registered limits.

[0] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n31

Lance Bragstad (lbragstad)
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: limits policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/621014

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621016

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621017

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621018

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621019

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621020

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621021

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621022

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621023

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/621024

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/621025

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/621014
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Submitter: Zuul
Branch: master

commit 216a4d5fc9e9d1f1956f26e7353cc9f09148aaf4
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:20:07 2018 +0000

    Add registered limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to registered
    limit information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project users test coverage

    Change-Id: Ibb28ec8f85bad6df531cffc7ba2c5f879e96d297
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621015
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8658011e41c05f79694eb4df306e07a0db1ce9a9
Submitter: Zuul
Branch: master

commit 8658011e41c05f79694eb4df306e07a0db1ce9a9
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:27:04 2018 +0000

    Add registered limit tests for system member role

    From keystone-perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable registered limit operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable registered limits
    operations. Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I6c428422f09e788faf2179d24cc01eb1ab623b64
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f5e462844b6bebf112b54b75db87165f9e3919b
Submitter: Zuul
Branch: master

commit 4f5e462844b6bebf112b54b75db87165f9e3919b
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:36:36 2018 +0000

    Update registered limit policies for system admin

    This change makes the policy definitions for admin registered limit
    operations consistent with the other registered limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: If0352220670fdf5c98d0820309817416466b1466
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621017
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e29ff512bb2a5dde3f9eec2b2a2ec596384ec1a2
Submitter: Zuul
Branch: master

commit e29ff512bb2a5dde3f9eec2b2a2ec596384ec1a2
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:44:40 2018 +0000

    Allow domain users to access the registered limits API

    This commit adds domain-scope to the scope_types for registered limit
    policies, allowing domain users to access those API when enforce_scope
    is enabled. This commit also introduces some tests that explicitly
    show how domain users are expected to behave with the registered
    limits API. A subsequent patch will do the same for project users.

    Change-Id: I7a04e1e2fc585340c9e061c915461ab13b9abec2
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621018
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd2b7f3ed55dcfeb0036bec71920c785db65214c
Submitter: Zuul
Branch: master

commit bd2b7f3ed55dcfeb0036bec71920c785db65214c
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:46:48 2018 +0000

    Add tests for project users interacting with registered limits

    This commit introduces some tests that explicitly show how project
    users are expected to behave with the registered limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

    Related-Bug: 1805880

    Change-Id: I66c1d1273dae98f32802de244eb220bf998f9070

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621019
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7af769278aef7e3a170c0da619b67bad7a147d84
Submitter: Zuul
Branch: master

commit 7af769278aef7e3a170c0da619b67bad7a147d84
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 18:53:00 2018 +0000

    Remove registered limit policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default registered limit
    behavior by removing them.

    Change-Id: I1ee7fb53a71361966584363687051615dc832329
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621020
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Submitter: Zuul
Branch: master

commit 3fee2399901bfc91b5eb5dfc71d17b008dd4b7fb
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:45:44 2018 +0000

    Add limit protection tests

    This commit creates a set of sets that we can reuse across different
    default roles and scopes to ensure everyone has access to limit
    information. Subsequent patches will make sure we build on this
    by incorporating default roles for:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Related-Bug: 1805372
    Related-Bug: 1805880

    Change-Id: I085578e715939c9b472df65bb3a50c0acf62f37e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621021
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4cf85fcd5de2f903c085ee3a6edefd3091017880
Submitter: Zuul
Branch: master

commit 4cf85fcd5de2f903c085ee3a6edefd3091017880
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 20:53:34 2018 +0000

    Add limit tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writeable limit operations to the
    ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role
    is allowed to perform readable and not writable limit operations.
    Subsequent patches will incorporate:

     - system admin functionality
     - testing for domain users
     - testing for project users

    Change-Id: I186251e77bf1b6459e0660da72f57bcdf799f319
    Related-Bug: 1805372
    Related-Bug: 1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/621022
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d4e40252884f054d692e82e170d3f69228ef7ee
Submitter: Zuul
Branch: master

commit 1d4e40252884f054d692e82e170d3f69228ef7ee
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:01:52 2018 +0000

    Update limit policies for system admin

    This change makes the policy definitions for admin limit
    operations consistent with the other limit
    policies. Subsequent patches will incorporate:

     - domain user test coverage
     - project user test coverage

    Change-Id: Id3f6159af505fbe81ff83cfaa346f2178f2d8e77
    Closes-Bug: 1805372
    Related-Bug: 1805880

Colleen Murphy (krinkle)
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle)
Changed in keystone:
milestone: stein-rc1 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/680844

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/680844
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9b694fcd0846898be843d8779960de399497818d
Submitter: Zuul
Branch: master

commit 9b694fcd0846898be843d8779960de399497818d
Author: Colleen Murphy <email address hidden>
Date: Sat Sep 7 19:25:46 2019 -0700

    Implement system scope for domain role management

    The roles API was partially converted to use default roles and system
    scope but that work did not include converting the domain roles actions.
    This commit completes the rest of the work and closes out the system
    scope work for the roles API.

    Change-Id: Iea5a1559e9bece2c0f310170f05260a978e27b47
    Closes-bug: #1805400
    Partial-bug: #1805880

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.opendev.org/621023
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f249c9e2b0f39b688ba356feaca7818adfc9f739
Submitter: Zuul
Branch: master

commit f249c9e2b0f39b688ba356feaca7818adfc9f739
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:06:09 2018 +0000

    Allow domain users to access the limit API

    This commit adds domain-scope to the scope_types for limit policies,
    allowing domain users to access those APIs when enforce_scope is
    enabled. This commit also introduces some tests that explicitly show
    how domain users are expected to behave with the limits API. A
    subsequent patch will do the same for project users.

    This commit also modifies the GET /v3/limit policy to allow project
    users to filter responses by project_id, which isn't entirely useful
    outside of just calling the API with a project-scoped token.

    Change-Id: I9b38f3fd2f83efd508b2d9a6c323bbaa7169d4cd
    Related-Bug: 1805880
    Partial-Bug: 1818736

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/621024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Submitter: Zuul
Branch: master

commit e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:22:10 2018 +0000

    Add tests for project users interacting with limits

    This commit introduces some tests that explicitly show how project
    users are expected to behave with the limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

    Related-Bug: 1805880
    Closes-Bug: 1818736

    Change-Id: I12d1200d8a11cadcc4f7b2604d51d8e5c73ea4b7

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/621025
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5b995cc8fbf0bb654ed0f6a88091c48548f53f6e
Submitter: Zuul
Branch: master

commit 5b995cc8fbf0bb654ed0f6a88091c48548f53f6e
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:30:06 2018 +0000

    Remove limit policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default limit
    behavior by removing them.

    Change-Id: Ie0f333a9e8b60154711a24ba7d9ade531217eb71
    Closes-Bug: 1805880

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.opendev.org/682266
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d4a6023de5bdfe5a6e9214579a35e083a45c1151
Submitter: Zuul
Branch: master

commit d4a6023de5bdfe5a6e9214579a35e083a45c1151
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000

    Remove policy.v3cloudsample.json

    We've make all the default policies keystone supports better by
    incorporating default roles and scope types. These changes have made
    the ``policy.v3cloudsample.json`` file obsolete.

    Let's simply things for users, operators, and develpers by removing
    it.

    A follow-on patch will remove the test_v3_protection.py file since
    those behaviors are passing all the protection tests with the default
    policies in code.

    Related-Bug: 1805880
    Closes-Bug: 1630434
    Closes-Bug: 1806762
    Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/687639

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/687639
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d9217f07b83399373c6e0879a71d943b73632ff5
Submitter: Zuul
Branch: stable/train

commit d9217f07b83399373c6e0879a71d943b73632ff5
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000

    Remove policy.v3cloudsample.json

    We've make all the default policies keystone supports better by
    incorporating default roles and scope types. These changes have made
    the ``policy.v3cloudsample.json`` file obsolete.

    Let's simply things for users, operators, and develpers by removing
    it.

    A follow-on patch will remove the test_v3_protection.py file since
    those behaviors are passing all the protection tests with the default
    policies in code.

    Related-Bug: 1805880
    Closes-Bug: 1630434
    Closes-Bug: 1806762
    Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
    (cherry picked from commit d4a6023de5bdfe5a6e9214579a35e083a45c1151)

tags: added: in-stable-train
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.