policy.v3cloudsample.json contains redundant policies

Bug #1806762 reported by Lance Bragstad on 2018-12-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

The policy.v3cloudsample.json policy file contains a bunch of redundant policies. This is because when it was created to try and solve the admin-ness problem [0], policies were not in code and didn't have defaults. This meant that we needed to define every policy in the policy.v3cloudsample.json even if it had the same value as the default policies.

Ultimately, the policy.v3cloudsample.json policy file should be removed because it is obsolete with the advent of system-scope [0] and default roles [1].

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html

tags: added: policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/622589

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Related fix proposed to branch: master
Review: https://review.openstack.org/623323

Related fix proposed to branch: master
Review: https://review.openstack.org/624215

Related fix proposed to branch: master
Review: https://review.openstack.org/624216

Related fix proposed to branch: master
Review: https://review.openstack.org/624217

Related fix proposed to branch: master
Review: https://review.openstack.org/624218

Related fix proposed to branch: master
Review: https://review.openstack.org/624219

Related fix proposed to branch: master
Review: https://review.openstack.org/624220

Related fix proposed to branch: master
Review: https://review.openstack.org/624222

Related fix proposed to branch: master
Review: https://review.openstack.org/625352

Related fix proposed to branch: master
Review: https://review.openstack.org/625353

Related fix proposed to branch: master
Review: https://review.openstack.org/625354

Related fix proposed to branch: master
Review: https://review.openstack.org/625355

Related fix proposed to branch: master
Review: https://review.openstack.org/625356

Related fix proposed to branch: master
Review: https://review.openstack.org/625357

Reviewed: https://review.openstack.org/624215
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Submitter: Zuul
Branch: master

commit b35928d5dcd8615d11c199c68c512aaa1dca4ec9
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:18:42 2018 +0000

    Implement system reader role for projects

    This commit introduces the system reader role to the project API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I089ada1e314688e60f9041095138bc53cd465fa0
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/624216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6037ac58de0fe599df9220a068e1ef054194187a
Submitter: Zuul
Branch: master

commit 6037ac58de0fe599df9220a068e1ef054194187a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 18:45:25 2018 +0000

    Implement system member role project test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable project
    operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I69ff308ea528d54e0db8e475d047e3dbf356ed2f
    Related-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/624217
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=718d122fe1595d59b4eab99c3a744bfe34941369
Submitter: Zuul
Branch: master

commit 718d122fe1595d59b4eab99c3a744bfe34941369
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 20:48:11 2019 +0000

    Implement system admin role in project API

    This commit introduces the system admin role to the projects API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: Iceed65d34a8a7cff8841000d7703b1a48e95bb24
    Closes-Bug: 1805403
    Related-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/605876
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=87e50c029e11d412368f0b08b7e65c6796bf1871
Submitter: Zuul
Branch: master

commit 87e50c029e11d412368f0b08b7e65c6796bf1871
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 22:08:55 2018 +0000

    Remove domain policies from policy.v3cloudsample.json

    By incorporating system scope and default roles into keystone's
    default policies for domains, we've effectively made these policies
    obsolete.

    Related-Bug: 1806762

    Change-Id: I96079b15c980de6a4ba71f49d7b39790c1115767

Reviewed: https://review.openstack.org/625352
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a3c3a62a1287d4af398581ec65549a314b061358
Submitter: Zuul
Branch: master

commit a3c3a62a1287d4af398581ec65549a314b061358
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 20:29:26 2018 +0000

    Update protocol policies for system reader

    The protocol policies were not taking the default roles work
    we did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for get and list protocols.
    Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

    Change-Id: I4e8887cffb882ab7a52ff6249f98fd026fc72dce
    Related-Bug: 1804523
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/625353
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=85b87fa4795b94d918c88c74c1231468d61f0acc
Submitter: Zuul
Branch: master

commit 85b87fa4795b94d918c88c74c1231468d61f0acc
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:00:05 2018 +0000

    Add protocol tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable protocol operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable protocol
    operations. Subsequent patches will incorporate.

     - system admin functionality
     - domain users test coverage
     - project users test coverage

     Related-Bug: 1804523
     Related-Bug: 1806762

    Change-Id: I55751a045cdb315c7534ee84a5c1fe5fb18aa65f

Reviewed: https://review.openstack.org/625354
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=87d93db90950065410e8fcb2866effc96c7153e4
Submitter: Zuul
Branch: master

commit 87d93db90950065410e8fcb2866effc96c7153e4
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:13:35 2018 +0000

    Implement system admin role in protocol API

    This commit introduces the system admin role to the protocol API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain and project users:

     - domain user test coverage
     - project user test coverage

    Change-Id: I9384e0fdd95545f1afef65a5e97e8513b709f150
    Closes-Bug: 1804523
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/625355
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c7cd4bcd5b5745a335b11e11b91aba0a4acf307a
Submitter: Zuul
Branch: master

commit c7cd4bcd5b5745a335b11e11b91aba0a4acf307a
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:50:58 2018 +0000

    Add tests for domain users interacting with protocols

    This commit introduces some tests that show how domain users are
    expected to behave with the federated protocols API. A
    subsequent patch will do the same for project users.

    Change-Id: Ic389fc76d2879a862061cee70d25aaa570f2f41b
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/625356
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=532b9625de9717a08172de3f7e10a326c812670d
Submitter: Zuul
Branch: master

commit 532b9625de9717a08172de3f7e10a326c812670d
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:52:12 2018 +0000

    Add tests for project users interacting with protocols

    This commit introduces some tests that show how project users
    are expected to behave with the federated protocol API.
    A subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json file.

    Change-Id: Ib5f2ea776a57d36f4fe558169b0a14d0b90ec11c
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/625357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=24b8db9e064713e7350f83cd77ed197b050b1fe1
Submitter: Zuul
Branch: master

commit 24b8db9e064713e7350f83cd77ed197b050b1fe1
Author: Lance Bragstad <email address hidden>
Date: Fri Dec 14 21:54:42 2018 +0000

    Remove protocol policies from v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default protocol
    behavior by removing them.

    Related-Bug: 1806762
    Closes-Bug: 1804518
    Change-Id: Ia839555d8211596213311c4246135cdae4f46ab2

Related fix proposed to branch: master
Review: https://review.openstack.org/645022

Related fix proposed to branch: master
Review: https://review.openstack.org/645023

Related fix proposed to branch: master
Review: https://review.openstack.org/645024

Reviewed: https://review.openstack.org/624218
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=65165e7e8b8cb9a18e5815a51ab75f0328d8eab4
Submitter: Zuul
Branch: master

commit 65165e7e8b8cb9a18e5815a51ab75f0328d8eab4
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 20:49:32 2018 +0000

    Implement domain reader functionality for projects

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with projects both inside and outside of
    the domain they have authorization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Depends-On: https://review.openstack.org/#/c/642102/
    Depends-On: https://review.openstack.org/#/c/624794/
    Change-Id: I28db6b9bdb16a1ecdacdc2b9ecbb8674ef4d8fe4
    Related-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/624219
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=04dc72a908ce829d7aaf4c62f12d7cd2215812d5
Submitter: Zuul
Branch: master

commit 04dc72a908ce829d7aaf4c62f12d7cd2215812d5
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 7 22:43:57 2019 +0000

    Implement domain member functionality for projects

    This commit adds explicit testing for how users with the member role
    on a domain should interact with projects both inside and outside of
    the domain they have authorization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: Ic0fe47b7a578270ef4a5e579ac64db63337956c6
    Related-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/624220
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=09663a01a4eda4332e55637a120019e1784b967e
Submitter: Zuul
Branch: master

commit 09663a01a4eda4332e55637a120019e1784b967e
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000

    Implement domain admin functionality for projects

    This commit add explicit testing to show how users with the admin role
    on a domain can manage projects within their domain. It also modifies
    the default policies to account for this functionality. A subsequent
    patch will do the same for project users.

    Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676
    Closes-Bug: 1750660
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/624222
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=546b7f1bba0c5a9b9c22828cc27a90191bb8f30d
Submitter: Zuul
Branch: master

commit 546b7f1bba0c5a9b9c22828cc27a90191bb8f30d
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:22:52 2018 +0000

    Remove project policies from policy.v3cloudsample.json

    By incorporating system-scope, domain-scope, project-scope, and
    default roles, we've effectively made these policies obsolete. We can
    simplify what we maintain and provide a more consistent, unified view
    of default project behavior by removing them.

    Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
    Related-Bug: 1806762

Related fix proposed to branch: master
Review: https://review.openstack.org/645310

Related fix proposed to branch: master
Review: https://review.openstack.org/645311

Reviewed: https://review.openstack.org/622615
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=465a8bb59be13739253a52d7e457067cf63d3ba8
Submitter: Zuul
Branch: master

commit 465a8bb59be13739253a52d7e457067cf63d3ba8
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000

    Update system grant policies for system reader

    The system grant policies were not taking the default roles work we
    did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for getting and listing system
    assignments. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I838c85f315864d2f0baf747d6bcc546724e4673a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Colleen Murphy (krinkle)
24 comments hidden view all 104 comments

Reviewed: https://review.openstack.org/645889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba
Submitter: Zuul
Branch: master

commit d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000

    Implement system reader functionality for grants

    This commit opens up the assignment API for system readers and system
    members to list and check grants for users and groups on projects and
    domains. Subsequent patches will:

     - refactor system admin policy checks
     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Change-Id: I04bafe2f7c83addddf18591eaeba80277321139b
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

Reviewed: https://review.openstack.org/645890
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef838a3a3f575562b1fc84623c3a8491d4f2e2f4
Submitter: Zuul
Branch: master

commit ef838a3a3f575562b1fc84623c3a8491d4f2e2f4
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000

    Make system admin policies consistent for grants

    This commit adjust the create and revoke grant policies to be
    consistent with other system admin policy check strings by not using
    the rule:admin_required check string and by including system_scope:all
    in the rule itself.

    Subsequent patches will:

     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

    Change-Id: Idcbe16f643332d80af716074cf3ea22525d465a9

Reviewed: https://review.openstack.org/647673
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fd08266abb3a4fb18ac05921ca11c4768daa2f6d
Submitter: Zuul
Branch: stable/stein

commit fd08266abb3a4fb18ac05921ca11c4768daa2f6d
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 22:24:40 2018 +0000

    Update system grant policies for system reader

    The system grant policies were not taking the default roles work we
    did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for getting and listing system
    assignments. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I838c85f315864d2f0baf747d6bcc546724e4673a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 465a8bb59be13739253a52d7e457067cf63d3ba8)

tags: added: in-stable-stein

Reviewed: https://review.openstack.org/647674
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0786fde3932e218ef355a6cc958f83c3c7033686
Submitter: Zuul
Branch: stable/stein

commit 0786fde3932e218ef355a6cc958f83c3c7033686
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:18:32 2019 +0000

    Update system grant policies for system member

    This commit ensures users with the ``member`` role on the system can
    perform read-only operations against the system assignment API.

     - system admin functionality
     - domain user test coverage
     - project user test coverage

    Change-Id: I834475da2343ba87fb169689f71d4cb4713f6786
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit bb4192e88d88b781b2a821f3a499b7168b7bbc31)

Reviewed: https://review.openstack.org/647675
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ad108dafe2bdd1b6523d6f45315bb136b9b01408
Submitter: Zuul
Branch: stable/stein

commit ad108dafe2bdd1b6523d6f45315bb136b9b01408
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:40:55 2019 +0000

    Update system grant policies for system admin

    This commit updates the policies for adding and removing system
    assignments from users to be consistent with other system-scoped
    policies.

     - domain user test coverage
     - project user test coverage

    Change-Id: Ia24a81669477ca5c737d0dedefac0c8fb0edc51a
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 8f4e179c69eae7ced731776717c09a979bd67cc5)

Reviewed: https://review.openstack.org/647676
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4ccb4c258f54642a272e0d865aa1768b7f1ffee5
Submitter: Zuul
Branch: stable/stein

commit 4ccb4c258f54642a272e0d865aa1768b7f1ffee5
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:49:32 2019 +0000

    Test domain users against system assignment API

    This commit ensures that domain users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

     - project user test coverage

    Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 8450d4a9cc76ce9e476d3cadf863f40f072f4cfe)

Reviewed: https://review.openstack.org/647677
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=de083009eb51d1af086387bbac0dca8d3c4474c0
Submitter: Zuul
Branch: stable/stein

commit de083009eb51d1af086387bbac0dca8d3c4474c0
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 20 21:58:51 2019 +0000

    Test project users against system assignment API

    This commit ensures that project users are not able to operate on
    system role assignments in anyway since they lack the proper
    authorization to do so.

    Change-Id: I8b5add170ba0d9eec42f2d088f4b89aa801136df
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit fac844c4ae058c148889b636ab6cbb637df7e554)

Reviewed: https://review.openstack.org/647678
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d8ac830a1ed6a571db6987d4ef657cf3e04d640
Submitter: Zuul
Branch: stable/stein

commit 1d8ac830a1ed6a571db6987d4ef657cf3e04d640
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:21:42 2019 +0000

    Update system group assignment policies for reader and member

    This commit introduces the reader and member default roles to the
    system assignment API for groups. Users with the `reader` and `member`
    role on the system should be able to list and check system role
    assignments for all users in the deployment.

    Subsequent patches will:

      - simplify the policies for system admin
      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I7eebb1b07213a1406e98f8a621ec44c87b812457
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 593e67e6ca429c6e6b54c5453a05c40a73abee85)

Reviewed: https://review.openstack.org/647679
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=02eebfe5732fb9935331551e223337b22db7aebd
Submitter: Zuul
Branch: stable/stein

commit 02eebfe5732fb9935331551e223337b22db7aebd
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:29:21 2019 +0000

    Update group system grant policies for admins

    This commit updates the policies for adding and removing system
    assignments from groups to be consistent with other system-scoped
    policies.

    Subsequent patches will build on this work and:

      - add domain user test coverage
      - add project user test coverage
      - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I90ecc67dbae60c74b69bb227a08205d4415bd16e
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit ba09e89ba1b8a883b09ca81f43bf54bd870411c1)

Reviewed: https://review.openstack.org/647680
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=56e48127938be2d67b984d00b155833532233713
Submitter: Zuul
Branch: stable/stein

commit 56e48127938be2d67b984d00b155833532233713
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 18:54:06 2019 +0000

    Test domain and project users against group system assignment API

    This commit ensures that domain and project users are not able to
    operate on system role assignments for groups in anyway since they
    lack the proper authorization to do so.

    Subsequent patches will:

     - remove obsolete policies from policy.v3cloudsample.json

    Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit 6e118bad3d49bc1da7137a406fb8cb2e3da931ca)

Reviewed: https://review.openstack.org/647681
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b7a64a9315a2bfe8c76b4e9b117458530df75e80
Submitter: Zuul
Branch: stable/stein

commit b7a64a9315a2bfe8c76b4e9b117458530df75e80
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 21 19:28:08 2019 +0000

    Remove system assignment policies from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: I7a17c2baa6e23b6a5d8fe21668a66ea8c8a89232
    Partial-Bug: 1806762
    (cherry picked from commit 0dbc8a88e8856d5decb1d0efec2921f49d90b879)

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647815

Reviewed: https://review.openstack.org/647552
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=24c875fe76474e3194100f138311a151aa2e6b6d
Submitter: Zuul
Branch: stable/stein

commit 24c875fe76474e3194100f138311a151aa2e6b6d
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:01:23 2018 +0000

    Implement domain admin functionality for projects

    This commit add explicit testing to show how users with the admin role
    on a domain can manage projects within their domain. It also modifies
    the default policies to account for this functionality. A subsequent
    patch will do the same for project users.

    Change-Id: I3e1cc44c4ed09ea0a4123ea13974b963c7335676
    Closes-Bug: 1750660
    Related-Bug: 1806762
    (cherry picked from commit 09663a01a4eda4332e55637a120019e1784b967e)

Reviewed: https://review.openstack.org/647589
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=570e47dbf3c0c24483be94e0d338acbb6dc2f2c9
Submitter: Zuul
Branch: stable/stein

commit 570e47dbf3c0c24483be94e0d338acbb6dc2f2c9
Author: Vishakha Agarwal <email address hidden>
Date: Tue Mar 5 13:00:55 2019 +0530

    Remove assignment policies from policy.v3cloudsample.json

    By incorporating system-scope and default roles, we've
    effectively made these policies obsolete. We can simplify
    what we maintain and provide a more consistent, unified
    view of default service behavior by removing them.

    This commit also removes some redundant tests in test_v3_protection
    or corrects them.

    Partial-Bug: 1806762
    Change-Id: I008aed9c01b9e834a197444ff2dc1f6eb1ba25b1
    (cherry picked from commit 64a455ef94c685d48605c0c40db37c2226707f57)

Reviewed: https://review.openstack.org/623323
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Submitter: Zuul
Branch: master

commit d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:14:44 2018 +0000

    Consolidate user protection tests

    This commit removes user policies from policy.v3cloudsample.json. By
    incorporating system-scope, domain-scope, project-scope, and default
    roles, we've effectively made these policies obsolete. We can simplify
    what we maintain and provide a more consistent, unified view of
    default user behavior by removing them.

    This commit also adds an important filter to the GET /v3/users API by
    making sure the users in the response are filtered properly if the API
    was called with a domain-scoped token. This is needed in case domain
    configuration isn't setup and short-circuits normalization of the
    domain ID, which sometimes comes from the token if it is
    domain-scoped. Regardless of domain configuration being used, we
    should protect against cases where data leaks across domains in the
    name of security.

    Finally, this commit moves a couple of tests from test_v3_protection
    to test_users protection tests that ensures we do reasonable filtering
    while normalizing domain IDs. The remaining tests from
    test_v3_protection have been removed because they are no longer
    applicable. These tests were testing an HTTP 403 was returned when a
    domain users attempted to filter users for domains they didn't have
    authorization on. We don't use this approach consistently in keystone.
    Most other places where filtering is implemented, we ignore invalid
    filters and instead return an empty list. For domain users attempting
    to fish information out of another domain, they will receive an empty
    list to be consistent with other parts of the API.

    Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
    Parial-Bug: 1806762

Reviewed: https://review.openstack.org/647586
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8877e9f01caf01fa66528afd78f32195d35d3b4a
Submitter: Zuul
Branch: master

commit 8877e9f01caf01fa66528afd78f32195d35d3b4a
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 25 20:39:08 2019 +0100

    Remove redundant policies from v3cloudsample

    By incorporating system and domain scope and default roles into
    keystone's default policies for domains, we've effectively made these
    policies obsolete. This change also removes the redundant group
    management tests from the v3cloudsample tests.

    Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d
    Partial-Bug: #1806762

Reviewed: https://review.openstack.org/647553
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3d3fa99a0503be678d7fe7058fd9220aca70716d
Submitter: Zuul
Branch: stable/stein

commit 3d3fa99a0503be678d7fe7058fd9220aca70716d
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 10 22:22:52 2018 +0000

    Remove project policies from policy.v3cloudsample.json

    By incorporating system-scope, domain-scope, project-scope, and
    default roles, we've effectively made these policies obsolete. We can
    simplify what we maintain and provide a more consistent, unified view
    of default project behavior by removing them.

    Change-Id: I80221b72ce0f234440e6d6aaea51869bd5f1c6e7
    Related-Bug: 1806762
    (cherry picked from commit 546b7f1bba0c5a9b9c22828cc27a90191bb8f30d)

Reviewed: https://review.openstack.org/647587
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7f257513f87c3eb9fd4aa9d904ed11cef6d9f47c
Submitter: Zuul
Branch: stable/stein

commit 7f257513f87c3eb9fd4aa9d904ed11cef6d9f47c
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:14:44 2018 +0000

    Consolidate user protection tests

    This commit removes user policies from policy.v3cloudsample.json. By
    incorporating system-scope, domain-scope, project-scope, and default
    roles, we've effectively made these policies obsolete. We can simplify
    what we maintain and provide a more consistent, unified view of
    default user behavior by removing them.

    This commit also adds an important filter to the GET /v3/users API by
    making sure the users in the response are filtered properly if the API
    was called with a domain-scoped token. This is needed in case domain
    configuration isn't setup and short-circuits normalization of the
    domain ID, which sometimes comes from the token if it is
    domain-scoped. Regardless of domain configuration being used, we
    should protect against cases where data leaks across domains in the
    name of security.

    Finally, this commit moves a couple of tests from test_v3_protection
    to test_users protection tests that ensures we do reasonable filtering
    while normalizing domain IDs. The remaining tests from
    test_v3_protection have been removed because they are no longer
    applicable. These tests were testing an HTTP 403 was returned when a
    domain users attempted to filter users for domains they didn't have
    authorization on. We don't use this approach consistently in keystone.
    Most other places where filtering is implemented, we ignore invalid
    filters and instead return an empty list. For domain users attempting
    to fish information out of another domain, they will receive an empty
    list to be consistent with other parts of the API.

    Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
    Parial-Bug: 1806762
    (cherry picked from commit d2cc4c83c00256440eed0ed5b8d7131cc02d72d4)

Reviewed: https://review.openstack.org/647814
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=db3b293cdea31b5a2b4fab1108d905832ee15550
Submitter: Zuul
Branch: stable/stein

commit db3b293cdea31b5a2b4fab1108d905832ee15550
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:08:25 2019 +0000

    Implement system reader functionality for grants

    This commit opens up the assignment API for system readers and system
    members to list and check grants for users and groups on projects and
    domains. Subsequent patches will:

     - refactor system admin policy checks
     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Change-Id: I04bafe2f7c83addddf18591eaeba80277321139b
    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762
    (cherry picked from commit d1cfa3ab3f87f15f61c5387670d3b75ee2ba93ba)

Changed in keystone:
assignee: Colleen Murphy (krinkle) → Lance Bragstad (lbragstad)

Reviewed: https://review.openstack.org/647815
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=933b7509a4177680158baeeb582f82470f73ae38
Submitter: Zuul
Branch: stable/stein

commit 933b7509a4177680158baeeb582f82470f73ae38
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 22 21:25:07 2019 +0000

    Make system admin policies consistent for grants

    This commit adjust the create and revoke grant policies to be
    consistent with other system admin policy check strings by not using
    the rule:admin_required check string and by including system_scope:all
    in the rule itself.

    Subsequent patches will:

     - implement domain reader and member support
     - implement domain admin support
     - introduce test coverage for project users and the grants API
     - remove redundant policies from policy.v3cloudsample.json

    Related-Bug: 1805368
    Related-Bug: 1750669
    Related-Bug: 1806762

    Change-Id: Idcbe16f643332d80af716074cf3ea22525d465a9
    (cherry picked from commit ef838a3a3f575562b1fc84623c3a8491d4f2e2f4)

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/649344

Reviewed: https://review.openstack.org/649297
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c102cad4769c1a6f6713c1379a1760f03ea0172
Submitter: Zuul
Branch: stable/stein

commit 2c102cad4769c1a6f6713c1379a1760f03ea0172
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 25 20:39:08 2019 +0100

    Remove redundant policies from v3cloudsample

    By incorporating system and domain scope and default roles into
    keystone's default policies for domains, we've effectively made these
    policies obsolete. This change also removes the redundant group
    management tests from the v3cloudsample tests.

    Change-Id: I4e3b19f9cc025a472fb27a33955856c2cd17fd1d
    Partial-Bug: #1806762
    (cherry picked from commit 8877e9f01caf01fa66528afd78f32195d35d3b4a)

Reviewed: https://review.openstack.org/622589
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bb141b1fb49c5391530399777586611f2a4b2e6d
Submitter: Zuul
Branch: master

commit bb141b1fb49c5391530399777586611f2a4b2e6d
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 2 15:17:18 2019 +0000

    DRY: Remove redundant policies from policy.v3cloudsample.json

    The policies contained in policy.v3cloudsample.json pre-dated any of
    the work to move policy defaults into code. Since deploying a policy
    file is now optional, we can remove the redundant policies from this
    file and make it more maintainable by not repeating ourselves and
    violating the DRY principal.

    The only policies left are ones that are testing workarounds for bug
    968696. Meanwhile, we're pursuing fixes for scope types and default
    roles:

      http://tinyurl.com/y5kj6fn9

    These fixes are specific to certain resources to make reviews more
    understandable for reviewers. As fixes for those bugs land, we will
    be removing the remaining checks in this file, since the behavior will
    be captured in new default check strings or in code.

    Eventually, we will delete this file entirely since we will have
    defaults in code that work for `admins`, `members`, and `readers` on
    projects, domains, and the deployment system.

    Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
    Partial-Bug: 1806762

Reviewed: https://review.openstack.org/649344
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c78581b4608f3dc10e945d358963000f284f188a
Submitter: Zuul
Branch: stable/stein

commit c78581b4608f3dc10e945d358963000f284f188a
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 2 15:17:18 2019 +0000

    DRY: Remove redundant policies from policy.v3cloudsample.json

    The policies contained in policy.v3cloudsample.json pre-dated any of
    the work to move policy defaults into code. Since deploying a policy
    file is now optional, we can remove the redundant policies from this
    file and make it more maintainable by not repeating ourselves and
    violating the DRY principal.

    The only policies left are ones that are testing workarounds for bug
    968696. Meanwhile, we're pursuing fixes for scope types and default
    roles:

      http://tinyurl.com/y5kj6fn9

    These fixes are specific to certain resources to make reviews more
    understandable for reviewers. As fixes for those bugs land, we will
    be removing the remaining checks in this file, since the behavior will
    be captured in new default check strings or in code.

    Eventually, we will delete this file entirely since we will have
    defaults in code that work for `admins`, `members`, and `readers` on
    projects, domains, and the deployment system.

    Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83
    Partial-Bug: 1806762
    (cherry picked from commit bb141b1fb49c5391530399777586611f2a4b2e6d)

Fix proposed to branch: master
Review: https://review.opendev.org/678475

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/680797

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/681162

Reviewed: https://review.opendev.org/678475
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=704cb2590e2f4496a73a79b3eeb22656083b4081
Submitter: Zuul
Branch: master

commit 704cb2590e2f4496a73a79b3eeb22656083b4081
Author: Vishakha Agarwal <email address hidden>
Date: Mon Aug 26 12:58:55 2019 +0530

    Remove system policy and its association from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: Ib2aa3e9023194ee578c617cdf2d53c6264c0e785
    Partial-Bug: #1806762
    Closes-Bug: #1805409

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

Reviewed: https://review.opendev.org/680797
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=afb312529ba1e1eb5acb9598d792f39f5a2500d7
Submitter: Zuul
Branch: master

commit afb312529ba1e1eb5acb9598d792f39f5a2500d7
Author: Colleen Murphy <email address hidden>
Date: Fri Sep 6 21:02:44 2019 -0700

    Remove implied roles policies from v3cloudsample

    By incorporating system scope and default roles into keystone's default
    policies for implied roles, we've effectively made these policies
    obsolete.

    Change-Id: I75515d3491517ea6e6fa17473a7890ce4653b481
    Partial-bug: #1806762
    Closes-bug: #1805371

Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Reviewed: https://review.opendev.org/667731
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf22f8004ed1dba9116c383ae287ad5b4af82dc2
Submitter: Zuul
Branch: master

commit cf22f8004ed1dba9116c383ae287ad5b4af82dc2
Author: Lance Bragstad <email address hidden>
Date: Wed Jun 26 20:58:12 2019 +0000

    Remove obsolete grant policies from policy.v3cloudsample.json

    This commit also removes an obsolete test case from
    test_v3_protection.py.

    Co-Authored-By: Colleen Murphy <email address hidden>

    Change-Id: Ic0a654494f96d5dffa0c4d4d96766ab4a2e090b1
    Related-Bug: 1806762

Reviewed: https://review.opendev.org/681162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6435017c242d759ec18dac30d667f0e196e49f38
Submitter: Zuul
Branch: master

commit 6435017c242d759ec18dac30d667f0e196e49f38
Author: Vishakha Agarwal <email address hidden>
Date: Tue Sep 10 11:57:13 2019 +0530

    Remove system EC2 credentials from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: Ie6be658a8e4dd028834a3fee956689f9513a37e9
    Partial-Bug: #1806762
    Closes-Bug: #1750678

Reviewed: https://review.opendev.org/680357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=566f8e734d1b5416305b7ab04c6eda48f40e576b
Submitter: Zuul
Branch: master

commit 566f8e734d1b5416305b7ab04c6eda48f40e576b
Author: Vishakha Agarwal <email address hidden>
Date: Thu Sep 5 15:09:40 2019 +0530

    Remove system Domain Config from policy.v3cloudsample.json

    By relying on system-scope and default roles, these policies are now
    obsolete.

    Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
    Partial-Bug: #1806762
    Closes-Bug: #1805366

Reviewed: https://review.opendev.org/682503
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8e67249d5bfb07b0a236189f62b3f338532f0df0
Submitter: Zuul
Branch: master

commit 8e67249d5bfb07b0a236189f62b3f338532f0df0
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000

    Add default roles and scope checking to project tags

    This commit makes it so that project tags adhere to system-scope and
    also incorporates default roles into the policy checks by default.

    Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
    Closes-Bug: 1844194
    Closes-Bug: 1844193
    Related-Bug: 1806762

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)

Reviewed: https://review.opendev.org/682266
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d4a6023de5bdfe5a6e9214579a35e083a45c1151
Submitter: Zuul
Branch: master

commit d4a6023de5bdfe5a6e9214579a35e083a45c1151
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000

    Remove policy.v3cloudsample.json

    We've make all the default policies keystone supports better by
    incorporating default roles and scope types. These changes have made
    the ``policy.v3cloudsample.json`` file obsolete.

    Let's simply things for users, operators, and develpers by removing
    it.

    A follow-on patch will remove the test_v3_protection.py file since
    those behaviors are passing all the protection tests with the default
    policies in code.

    Related-Bug: 1805880
    Closes-Bug: 1630434
    Closes-Bug: 1806762
    Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/687639
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d9217f07b83399373c6e0879a71d943b73632ff5
Submitter: Zuul
Branch: stable/train

commit d9217f07b83399373c6e0879a71d943b73632ff5
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 02:52:12 2019 +0000

    Remove policy.v3cloudsample.json

    We've make all the default policies keystone supports better by
    incorporating default roles and scope types. These changes have made
    the ``policy.v3cloudsample.json`` file obsolete.

    Let's simply things for users, operators, and develpers by removing
    it.

    A follow-on patch will remove the test_v3_protection.py file since
    those behaviors are passing all the protection tests with the default
    policies in code.

    Related-Bug: 1805880
    Closes-Bug: 1630434
    Closes-Bug: 1806762
    Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
    (cherry picked from commit d4a6023de5bdfe5a6e9214579a35e083a45c1151)

tags: added: in-stable-train

This issue was fixed in the openstack/keystone 16.0.0.0rc2 release candidate.

Displaying first 40 and last 40 comments. View all 104 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers