OpenStack Identity (keystone)

The endpoint group API doesn't use default roles

Bug #1818734 reported by Lance Bragstad on 2019-03-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0].
An endpoint group is a collection of endpoints that can be populated in a users service catalog through association to projects. Ultimately, endpoint groups are system-specific resources and shouldn't be accessible directly by domain or project users.

The report is to track the work for implementing system `member` and system `reader` role support for endpoint groups.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/endpoint_group.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
API Reference: https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-ep-filter-api

See original description

Tags:

Lance Bragstad (lbragstad) on 2019-03-05

tags:	added: policy
tags:	added: default-roles
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
importance:	Medium → Low

Lance Bragstad (lbragstad) on 2019-07-09

description:

updated

Vishakha Agarwal (vishakha.agarwal) on 2019-08-06

Changed in keystone:
assignee:	nobody → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-08: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/675272

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-09:

Fix proposed to branch: master
Review: https://review.opendev.org/675536

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-13:

Fix proposed to branch: master
Review: https://review.opendev.org/676108

OpenStack Infra (hudson-openstack) on 2019-08-20

Changed in keystone:
assignee:	Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-21: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/675272
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e4fb1e1fdd422a1093b5eedb587ede88d0d7eb8e
Submitter: Zuul
Branch: master

commit e4fb1e1fdd422a1093b5eedb587ede88d0d7eb8e
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 7 22:45:48 2019 +0530

Implement system reader and member for endpoint_groups

    This change modifies the policies for endpoint_groups
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

Subsequent patches will -

     - add functionality for system admin
     - domains user test coverage
     - project user test coverage
    Change-Id: Ie13fd2296f2836466d38544c4f672ee95c4156b0
    Partial-Bug: #1818734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-21:

Reviewed: https://review.opendev.org/675536
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7d223bec9d77be3079830c71be398c68e502e71b
Submitter: Zuul
Branch: master

commit 7d223bec9d77be3079830c71be398c68e502e71b
Author: Vishakha Agarwal <email address hidden>
Date: Fri Aug 9 02:52:08 2019 +0530

Implement system_admin for endpoint_groups

    This change modifies the policies for endpoint_groups
    API to be more self-service by properly checking for
    system scope. It also includes the test cases.

Subsequent patches will -

- domains user test coverage
- project user test coverage

Change-Id: I6fba8bbd9b113d872b6c3bab4e080552b75a1f7c
Partial-Bug: #1818734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-21:

Reviewed: https://review.opendev.org/676108
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9011220178dc1c6b684f9c2ab22a7f09758a4da7
Submitter: Zuul
Branch: master

commit 9011220178dc1c6b684f9c2ab22a7f09758a4da7
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 11:50:12 2019 +0530

Add tests for domain users interacting with endpoint_groups

    This commit introduces some tests that show how domain users are
    expected to behave with the endpoint_groups API. A subsequent
    patch will do the same for project users.

Change-Id: I4c52ae16fed9eb282a1f3be0d70810992cfe62d6
Partial-Bug: #1818734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-21:

Reviewed: https://review.opendev.org/676115
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf572f9e843745fd3b0fb2040e8a7a9dec94432e
Submitter: Zuul
Branch: master

commit cf572f9e843745fd3b0fb2040e8a7a9dec94432e
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 12:07:19 2019 +0530

Add tests for project users interacting with endpoint_groups

This commit introduces some tests that show how project users
are expected to behave with the endpoint_groups API.

Change-Id: I0f32de4ea615c89a7500a8098c44ef543fe45a02
Closes-bug: #1818734

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-08-23

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1818744

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.