The endpoint group API doesn't use default roles

Bug #1818734 reported by Lance Bragstad on 2019-03-05
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Vishakha Agarwal

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0].
An endpoint group is a collection of endpoints that can be populated in a users service catalog through association to projects. Ultimately, endpoint groups are system-specific resources and shouldn't be accessible directly by domain or project users.

The report is to track the work for implementing system `member` and system `reader` role support for endpoint groups.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/endpoint_group.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
API Reference: https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-ep-filter-api

tags: added: policy
tags: added: default-roles
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
importance: Medium → Low
description: updated
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.opendev.org/675272

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.opendev.org/675536

Fix proposed to branch: master
Review: https://review.opendev.org/676108

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)

Reviewed: https://review.opendev.org/675272
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e4fb1e1fdd422a1093b5eedb587ede88d0d7eb8e
Submitter: Zuul
Branch: master

commit e4fb1e1fdd422a1093b5eedb587ede88d0d7eb8e
Author: Vishakha Agarwal <email address hidden>
Date: Wed Aug 7 22:45:48 2019 +0530

    Implement system reader and member for endpoint_groups

    This change modifies the policies for endpoint_groups
    API to be more self-service by properly checking for
    system scopes. It also includes the test cases.

    Subsequent patches will -

     - add functionality for system admin
     - domains user test coverage
     - project user test coverage
    Change-Id: Ie13fd2296f2836466d38544c4f672ee95c4156b0
    Partial-Bug: #1818734

Reviewed: https://review.opendev.org/675536
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7d223bec9d77be3079830c71be398c68e502e71b
Submitter: Zuul
Branch: master

commit 7d223bec9d77be3079830c71be398c68e502e71b
Author: Vishakha Agarwal <email address hidden>
Date: Fri Aug 9 02:52:08 2019 +0530

    Implement system_admin for endpoint_groups

    This change modifies the policies for endpoint_groups
    API to be more self-service by properly checking for
    system scope. It also includes the test cases.

    Subsequent patches will -

     - domains user test coverage
     - project user test coverage

    Change-Id: I6fba8bbd9b113d872b6c3bab4e080552b75a1f7c
    Partial-Bug: #1818734

Reviewed: https://review.opendev.org/676108
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9011220178dc1c6b684f9c2ab22a7f09758a4da7
Submitter: Zuul
Branch: master

commit 9011220178dc1c6b684f9c2ab22a7f09758a4da7
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 11:50:12 2019 +0530

    Add tests for domain users interacting with endpoint_groups

    This commit introduces some tests that show how domain users are
    expected to behave with the endpoint_groups API. A subsequent
    patch will do the same for project users.

    Change-Id: I4c52ae16fed9eb282a1f3be0d70810992cfe62d6
    Partial-Bug: #1818734

Reviewed: https://review.opendev.org/676115
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf572f9e843745fd3b0fb2040e8a7a9dec94432e
Submitter: Zuul
Branch: master

commit cf572f9e843745fd3b0fb2040e8a7a9dec94432e
Author: Vishakha Agarwal <email address hidden>
Date: Tue Aug 13 12:07:19 2019 +0530

    Add tests for project users interacting with endpoint_groups

    This commit introduces some tests that show how project users
    are expected to behave with the endpoint_groups API.

    Change-Id: I0f32de4ea615c89a7500a8098c44ef543fe45a02
    Closes-bug: #1818734

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-08-23
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers