The v3 group API should account for different scopes

Bug #1808859 reported by Lance Bragstad on 2018-12-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Colleen Murphy

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the group API. This is documented in each patch with FIXMEs [1].

System users should be able to manage groups across all domains in the deployment.
Domain users should be able to manage groups within the domain they have authorization on.
Project users shouldn't be able to manage groups at all, since group entities are domain-specific.

[0] https://review.openstack.org/#/c/525706/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=20f11eb88a7d8bf534fa221ebeae4ae9c87cdc0b#n21

tags: added: policy
tags: added: system-scope
description: updated
Changed in keystone:
status: New → Triaged
importance: Undecided → High

Related fix proposed to branch: master
Review: https://review.openstack.org/625733

Related fix proposed to branch: master
Review: https://review.openstack.org/625734

Reviewed: https://review.openstack.org/625732
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=feb0d58df4ce4531d3e381c24385a531d164ee2a
Submitter: Zuul
Branch: master

commit feb0d58df4ce4531d3e381c24385a531d164ee2a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:40:04 2018 +0000

    Implement system reader role for groups

    This commit introduces the system reader role to the group API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own group memberships, which
    encapsulates a bunch of tests for what regular project users can do
    with groups.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: I24ff27da79bb01322e05c6d8cd37f02693fd5b9f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Reviewed: https://review.openstack.org/625733
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Submitter: Zuul
Branch: master

commit f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:43:21 2018 +0000

    Implement system member test coverage for groups

    This commit introduces explicity test coverage for system members,
    making sure they are allowed to perform readable and not writable
    group operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ie22a18ac7b243089509001fda930474f55e29d3f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Reviewed: https://review.openstack.org/625734
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f62f73c548d7a1cb4fe557e457a49d77322968c4
Submitter: Zuul
Branch: master

commit f62f73c548d7a1cb4fe557e457a49d77322968c4
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 23:05:08 2018 +0000

    Implement system admin role in groups API

    The commit introduces the system admin role to the group API, making
    it consistent with other system-admin policy definitions.

    Subsequent patches will incorporate:

      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ib0ff05396bed2bfefefa712491aeb0b9b5f2c1d0
    Related-Bug: 968696
    Related-Bug: 1808859
    Closes-Bug: 1805369

Colleen Murphy (krinkle) on 2019-03-12
Changed in keystone:
milestone: none → stein-rc1

Fix proposed to branch: master
Review: https://review.openstack.org/643937

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: Triaged → In Progress
Colleen Murphy (krinkle) on 2019-03-20
Changed in keystone:
milestone: stein-rc1 → stein-rc2

Reviewed: https://review.openstack.org/643937
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=be452fee80fabe252b2dae3be76c1d46fdd857e4
Submitter: Zuul
Branch: master

commit be452fee80fabe252b2dae3be76c1d46fdd857e4
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 18 14:20:15 2019 +0100

    Add domain scope support for group policies

    This commit adds support for the domain scope type for the group API
    policies. It defines appropriate policies for the reader, member, and
    admin role and adds tests for each case.

    Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
    Closes-bug: #1808859
    Partial-Bug: #968696

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/648995
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c00a6974e35057fd924060fee3d36e6a91fcf95
Submitter: Zuul
Branch: stable/stein

commit 2c00a6974e35057fd924060fee3d36e6a91fcf95
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 18 14:20:15 2019 +0100

    Add domain scope support for group policies

    This commit adds support for the domain scope type for the group API
    policies. It defines appropriate policies for the reader, member, and
    admin role and adds tests for each case.

    Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
    Closes-bug: #1808859
    Partial-Bug: #968696
    (cherry picked from commit be452fee80fabe252b2dae3be76c1d46fdd857e4)

tags: added: in-stable-stein

This issue was fixed in the openstack/keystone 15.0.0.0rc2 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers