policy.v3cloudsample.json contains redundant policies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
The policy.
Ultimately, the policy.
[0] http://
[1] http://
tags: | added: policy |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master) | #1 |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Triaged → In Progress |
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master) | #2 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #3 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #4 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #5 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #6 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #7 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #8 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #9 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #10 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #11 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #12 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #13 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #14 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #15 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #16 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #17 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit b35928d5dcd8615
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:18:42 2018 +0000
Implement system reader role for projects
This commit introduces the system reader role to the project API, making
it easier for administrators to delegate subsets of responsibilities
to the API by default.
Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: I089ada1e314688
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #18 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 6037ac58de0fe59
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:45:25 2018 +0000
Implement system member role project test coverage
This commit introduces explicit test coverage for system members,
making sure they are allowed to do readable and not writable project
operations.
Subsequent patches will incorporate:
- system admin functionality
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: I69ff308ea528d5
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #19 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 718d122fe1595d5
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 20:48:11 2019 +0000
Implement system admin role in project API
This commit introduces the system admin role to the projects API,
making it consistent with other system-admin policy definitions.
Subsequent patches will build on this work to expose more
functionality to domain users:
- domain reader functionality
- domain member test coverage
- domain admin functionality
- project user test coverage
Change-Id: Iceed65d34a8a7c
Closes-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #20 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 87e50c029e11d41
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 22:08:55 2018 +0000
Remove domain policies from policy.
By incorporating system scope and default roles into keystone's
default policies for domains, we've effectively made these policies
obsolete.
Related-Bug: 1806762
Change-Id: I96079b15c980de
OpenStack Infra (hudson-openstack) wrote : | #21 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit a3c3a62a1287d4a
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 20:29:26 2018 +0000
Update protocol policies for system reader
The protocol policies were not taking the default roles work
we did last release into account. This commit changes the default
policies to rely on the ``reader`` role for get and list protocols.
Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain users test coverage
- project users test coverage
Change-Id: I4e8887cffb882a
Related-Bug: 1804523
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #22 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 85b87fa4795b94d
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:00:05 2018 +0000
Add protocol tests for system member role
From keystone's perspective, the ``member`` and ``reader`` roles are
effectively the same, isolating writable protocol operations
to the ``admin`` role.
This commit adds explicit testing to make sure the ``member`` role is
allowed to perform readable and not writable protocol
operations. Subsequent patches will incorporate.
- system admin functionality
- domain users test coverage
- project users test coverage
Related-Bug: 1804523
Related-Bug: 1806762
Change-Id: I55751a045cdb31
OpenStack Infra (hudson-openstack) wrote : | #23 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 87d93db90950065
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:13:35 2018 +0000
Implement system admin role in protocol API
This commit introduces the system admin role to the protocol API,
making it consistent with other system-admin policy definitions.
Subsequent patches will build on this work to expose more
functionality to domain and project users:
- domain user test coverage
- project user test coverage
Change-Id: I9384e0fdd95545
Closes-Bug: 1804523
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #24 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit c7cd4bcd5b5745a
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:50:58 2018 +0000
Add tests for domain users interacting with protocols
This commit introduces some tests that show how domain users are
expected to behave with the federated protocols API. A
subsequent patch will do the same for project users.
Change-Id: Ic389fc76d2879a
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #25 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 532b9625de9717a
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:52:12 2018 +0000
Add tests for project users interacting with protocols
This commit introduces some tests that show how project users
are expected to behave with the federated protocol API.
A subsequent patch will clean up the now obsolete policies in the
policy.
Change-Id: Ib5f2ea776a57d3
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #26 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 24b8db9e064713e
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:54:42 2018 +0000
Remove protocol policies from v3cloudsample.json
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default protocol
behavior by removing them.
Related-Bug: 1806762
Closes-Bug: 1804518
Change-Id: Ia839555d821159
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master) | #27 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #28 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #29 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #30 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #31 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 65165e7e8b8cb9a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 20:49:32 2018 +0000
Implement domain reader functionality for projects
This commit adds explicit testing for how users with the reader role
on a domain should interact with projects both inside and outside of
the domain they have authorization on.
Subsequent patches will continue to build on this by incorporating:
- domain member test coverage
- domain admin functionality
- project user test coverage
Depends-On: https:/
Depends-On: https:/
Change-Id: I28db6b9bdb16a1
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #32 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 04dc72a908ce829
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 22:43:57 2019 +0000
Implement domain member functionality for projects
This commit adds explicit testing for how users with the member role
on a domain should interact with projects both inside and outside of
the domain they have authorization on.
Subsequent patches will continue to build on this by incorporating:
- domain admin functionality
- project user test coverage
Change-Id: Ic0fe47b7a57827
Related-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #33 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 09663a01a4eda43
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000
Implement domain admin functionality for projects
This commit add explicit testing to show how users with the admin role
on a domain can manage projects within their domain. It also modifies
the default policies to account for this functionality. A subsequent
patch will do the same for project users.
Change-Id: I3e1cc44c4ed09e
Closes-Bug: 1750660
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #34 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 546b7f1bba0c5a9
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:22:52 2018 +0000
Remove project policies from policy.
By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.
Change-Id: I80221b72ce0f23
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master) | #35 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #36 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #37 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master) | #38 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #39 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 465a8bb59be1373
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000
Update system grant policies for system reader
The system grant policies were not taking the default roles work we
did last release into account. This commit changes the default
policies to rely on the ``reader`` role for getting and listing system
assignments. Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I838c85f315864d
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master) | #40 |
Related fix proposed to branch: master
Review: https:/
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Colleen Murphy (krinkle) |
24 comments hidden Loading more comments | view all 104 comments |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #65 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit d1cfa3ab3f87f15
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000
Implement system reader functionality for grants
This commit opens up the assignment API for system readers and system
members to list and check grants for users and groups on projects and
domains. Subsequent patches will:
- refactor system admin policy checks
- implement domain reader and member support
- implement domain admin support
- introduce test coverage for project users and the grants API
- remove redundant policies from policy.
Change-Id: I04bafe2f7c83ad
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #66 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit ef838a3a3f57556
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000
Make system admin policies consistent for grants
This commit adjust the create and revoke grant policies to be
consistent with other system admin policy check strings by not using
the rule:admin_required check string and by including system_scope:all
in the rule itself.
Subsequent patches will:
- implement domain reader and member support
- implement domain admin support
- introduce test coverage for project users and the grants API
- remove redundant policies from policy.
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
Change-Id: Idcbe16f643332d
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/stein) | #67 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit fd08266abb3a4fb
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000
Update system grant policies for system reader
The system grant policies were not taking the default roles work we
did last release into account. This commit changes the default
policies to rely on the ``reader`` role for getting and listing system
assignments. Subsequent patches will incorporate:
- system member test coverage
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I838c85f315864d
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 465a8bb59be1373
tags: | added: in-stable-stein |
OpenStack Infra (hudson-openstack) wrote : | #68 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 0786fde3932e218
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:18:32 2019 +0000
Update system grant policies for system member
This commit ensures users with the ``member`` role on the system can
perform read-only operations against the system assignment API.
- system admin functionality
- domain user test coverage
- project user test coverage
Change-Id: I834475da2343ba
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit bb4192e88d88b78
OpenStack Infra (hudson-openstack) wrote : | #69 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit ad108dafe2bdd1b
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:40:55 2019 +0000
Update system grant policies for system admin
This commit updates the policies for adding and removing system
assignments from users to be consistent with other system-scoped
policies.
- domain user test coverage
- project user test coverage
Change-Id: Ia24a81669477ca
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 8f4e179c69eae7c
OpenStack Infra (hudson-openstack) wrote : | #70 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 4ccb4c258f54642
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:49:32 2019 +0000
Test domain users against system assignment API
This commit ensures that domain users are not able to operate on
system role assignments in anyway since they lack the proper
authorization to do so.
- project user test coverage
Change-Id: Ic27a158448e109
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 8450d4a9cc76ce9
OpenStack Infra (hudson-openstack) wrote : | #71 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit de083009eb51d1a
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:58:51 2019 +0000
Test project users against system assignment API
This commit ensures that project users are not able to operate on
system role assignments in anyway since they lack the proper
authorization to do so.
Change-Id: I8b5add170ba0d9
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit fac844c4ae058c1
OpenStack Infra (hudson-openstack) wrote : | #72 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 1d8ac830a1ed6a5
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:21:42 2019 +0000
Update system group assignment policies for reader and member
This commit introduces the reader and member default roles to the
system assignment API for groups. Users with the `reader` and `member`
role on the system should be able to list and check system role
assignments for all users in the deployment.
Subsequent patches will:
- simplify the policies for system admin
- add domain user test coverage
- add project user test coverage
- remove obsolete policies from policy.
Change-Id: I7eebb1b07213a1
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 593e67e6ca429c6
OpenStack Infra (hudson-openstack) wrote : | #73 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 02eebfe5732fb99
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:29:21 2019 +0000
Update group system grant policies for admins
This commit updates the policies for adding and removing system
assignments from groups to be consistent with other system-scoped
policies.
Subsequent patches will build on this work and:
- add domain user test coverage
- add project user test coverage
- remove obsolete policies from policy.
Change-Id: I90ecc67dbae60c
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit ba09e89ba1b8a88
OpenStack Infra (hudson-openstack) wrote : | #74 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 56e48127938be2d
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:54:06 2019 +0000
Test domain and project users against group system assignment API
This commit ensures that domain and project users are not able to
operate on system role assignments for groups in anyway since they
lack the proper authorization to do so.
Subsequent patches will:
- remove obsolete policies from policy.
Change-Id: I696e5d161fae7e
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 6e118bad3d49bc1
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #75 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit b7a64a9315a2bfe
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 19:28:08 2019 +0000
Remove system assignment policies from policy.
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I7a17c2baa6e23b
Partial-Bug: 1806762
(cherry picked from commit 0dbc8a88e8856d5
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (stable/stein) | #76 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #77 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/stein) | #78 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 24c875fe76474e3
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000
Implement domain admin functionality for projects
This commit add explicit testing to show how users with the admin role
on a domain can manage projects within their domain. It also modifies
the default policies to account for this functionality. A subsequent
patch will do the same for project users.
Change-Id: I3e1cc44c4ed09e
Closes-Bug: 1750660
Related-Bug: 1806762
(cherry picked from commit 09663a01a4eda43
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #79 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 570e47dbf3c0c24
Author: Vishakha Agarwal <email address hidden>
Date: Tue Mar 5 13:00:55 2019 +0530
Remove assignment policies from policy.
By incorporating system-scope and default roles, we've
effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified
view of default service behavior by removing them.
This commit also removes some redundant tests in test_v3_protection
or corrects them.
Partial-Bug: 1806762
Change-Id: I008aed9c01b9e8
(cherry picked from commit 64a455ef94c685d
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #80 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit d2cc4c83c002564
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:14:44 2018 +0000
Consolidate user protection tests
This commit removes user policies from policy.
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.
This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped. Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.
Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.
Change-Id: I60b2e2b8af172c
Parial-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : | #81 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 8877e9f01caf01f
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 25 20:39:08 2019 +0100
Remove redundant policies from v3cloudsample
By incorporating system and domain scope and default roles into
keystone's default policies for domains, we've effectively made these
policies obsolete. This change also removes the redundant group
management tests from the v3cloudsample tests.
Change-Id: I4e3b19f9cc025a
Partial-Bug: #1806762
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/stein) | #82 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 3d3fa99a0503be6
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:22:52 2018 +0000
Remove project policies from policy.
By incorporating system-scope, domain-scope, project-scope, and
default roles, we've effectively made these policies obsolete. We can
simplify what we maintain and provide a more consistent, unified view
of default project behavior by removing them.
Change-Id: I80221b72ce0f23
Related-Bug: 1806762
(cherry picked from commit 546b7f1bba0c5a9
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #83 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 7f257513f87c3eb
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:14:44 2018 +0000
Consolidate user protection tests
This commit removes user policies from policy.
incorporating system-scope, domain-scope, project-scope, and default
roles, we've effectively made these policies obsolete. We can simplify
what we maintain and provide a more consistent, unified view of
default user behavior by removing them.
This commit also adds an important filter to the GET /v3/users API by
making sure the users in the response are filtered properly if the API
was called with a domain-scoped token. This is needed in case domain
configuration isn't setup and short-circuits normalization of the
domain ID, which sometimes comes from the token if it is
domain-scoped. Regardless of domain configuration being used, we
should protect against cases where data leaks across domains in the
name of security.
Finally, this commit moves a couple of tests from test_v3_protection
to test_users protection tests that ensures we do reasonable filtering
while normalizing domain IDs. The remaining tests from
test_
applicable. These tests were testing an HTTP 403 was returned when a
domain users attempted to filter users for domains they didn't have
authorization on. We don't use this approach consistently in keystone.
Most other places where filtering is implemented, we ignore invalid
filters and instead return an empty list. For domain users attempting
to fish information out of another domain, they will receive an empty
list to be consistent with other parts of the API.
Change-Id: I60b2e2b8af172c
Parial-Bug: 1806762
(cherry picked from commit d2cc4c83c002564
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/stein) | #84 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit db3b293cdea31b5
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000
Implement system reader functionality for grants
This commit opens up the assignment API for system readers and system
members to list and check grants for users and groups on projects and
domains. Subsequent patches will:
- refactor system admin policy checks
- implement domain reader and member support
- implement domain admin support
- introduce test coverage for project users and the grants API
- remove redundant policies from policy.
Change-Id: I04bafe2f7c83ad
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit d1cfa3ab3f87f15
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Lance Bragstad (lbragstad) |
OpenStack Infra (hudson-openstack) wrote : | #85 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 933b7509a417768
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000
Make system admin policies consistent for grants
This commit adjust the create and revoke grant policies to be
consistent with other system admin policy check strings by not using
the rule:admin_required check string and by including system_scope:all
in the rule itself.
Subsequent patches will:
- implement domain reader and member support
- implement domain admin support
- introduce test coverage for project users and the grants API
- remove redundant policies from policy.
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
Change-Id: Idcbe16f643332d
(cherry picked from commit ef838a3a3f57556
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein) | #86 |
Fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : | #87 |
Fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #88 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 2c102cad4769c1a
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 25 20:39:08 2019 +0100
Remove redundant policies from v3cloudsample
By incorporating system and domain scope and default roles into
keystone's default policies for domains, we've effectively made these
policies obsolete. This change also removes the redundant group
management tests from the v3cloudsample tests.
Change-Id: I4e3b19f9cc025a
Partial-Bug: #1806762
(cherry picked from commit 8877e9f01caf01f
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #89 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit bb141b1fb49c539
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 2 15:17:18 2019 +0000
DRY: Remove redundant policies from policy.
The policies contained in policy.
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.
The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:
These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.
Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.
Change-Id: Ibbabe8fdc7989f
Partial-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #90 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit c78581b4608f3dc
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 2 15:17:18 2019 +0000
DRY: Remove redundant policies from policy.
The policies contained in policy.
the work to move policy defaults into code. Since deploying a policy
file is now optional, we can remove the redundant policies from this
file and make it more maintainable by not repeating ourselves and
violating the DRY principal.
The only policies left are ones that are testing workarounds for bug
968696. Meanwhile, we're pursuing fixes for scope types and default
roles:
These fixes are specific to certain resources to make reviews more
understandable for reviewers. As fixes for those bugs land, we will
be removing the remaining checks in this file, since the behavior will
be captured in new default check strings or in code.
Eventually, we will delete this file entirely since we will have
defaults in code that work for `admins`, `members`, and `readers` on
projects, domains, and the deployment system.
Change-Id: Ibbabe8fdc7989f
Partial-Bug: 1806762
(cherry picked from commit bb141b1fb49c539
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master) | #91 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master) | #92 |
Fix proposed to branch: master
Review: https:/
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal) |
OpenStack Infra (hudson-openstack) wrote : | #93 |
Fix proposed to branch: master
Review: https:/
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle) |
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal) |
OpenStack Infra (hudson-openstack) wrote : | #94 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #95 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 704cb2590e2f449
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:58:55 2019 +0530
Remove system policy and its association from policy.
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ib2aa3e9023194e
Partial-Bug: #1806762
Closes-Bug: #1805409
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle) |
OpenStack Infra (hudson-openstack) wrote : | #96 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit afb312529ba1e1e
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 21:02:44 2019 -0700
Remove implied roles policies from v3cloudsample
By incorporating system scope and default roles into keystone's default
policies for implied roles, we've effectively made these policies
obsolete.
Change-Id: I75515d3491517e
Partial-bug: #1806762
Closes-bug: #1805371
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal) |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #97 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit cf22f8004ed1dba
Author: Lance Bragstad <email address hidden>
Date: Wed Jun 26 20:58:12 2019 +0000
Remove obsolete grant policies from policy.
This commit also removes an obsolete test case from
test_
Co-Authored-By: Colleen Murphy <email address hidden>
Change-Id: Ic0a654494f96d5
Related-Bug: 1806762
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #98 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 6435017c242d759
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 10 11:57:13 2019 +0530
Remove system EC2 credentials from policy.
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: Ie6be658a8e4dd0
Partial-Bug: #1806762
Closes-Bug: #1750678
OpenStack Infra (hudson-openstack) wrote : | #99 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 566f8e734d1b541
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 15:09:40 2019 +0530
Remove system Domain Config from policy.
By relying on system-scope and default roles, these policies are now
obsolete.
Change-Id: I21473f757611cf
Partial-Bug: #1806762
Closes-Bug: #1805366
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master) | #100 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 8e67249d5bfb07b
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000
Add default roles and scope checking to project tags
This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.
Change-Id: Ie36df5677a08d7
Closes-Bug: 1844194
Closes-Bug: 1844193
Related-Bug: 1806762
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad) |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #101 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit d4a6023de5bdfe5
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000
Remove policy.
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc5456
Changed in keystone: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train) | #102 |
Fix proposed to branch: stable/train
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train) | #103 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit d9217f07b833993
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000
Remove policy.
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc5456
(cherry picked from commit d4a6023de5bdfe5
tags: | added: in-stable-train |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc2 | #104 |
This issue was fixed in the openstack/keystone 16.0.0.0rc2 release candidate.
Fix proposed to branch: master /review. openstack. org/622589
Review: https:/