OpenStack Identity (keystone)

Project tags should account for different scopes.

Bug #1844193 reported by Lance Bragstad on 2019-09-16

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

OpenStack Identity (keystone)

Fix Released

High

Lance Bragstad

OpenStack Identity (keystone) train-rc1

You need to log in to change this bug's status.

Affecting:	OpenStack Identity (keystone)
Filed here by:	Lance Bragstad
When:	2019-09-16
Confirmed:	2019-09-16
Assigned:	2019-09-18
Started work:	2019-09-18
Completed:	2019-09-20

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance	Milestone
	High	OpenStack Identity (keystone) train-rc1

Assigned to

	Me
	Lance Bragstad (lbragstad)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Project resources in keystone can be tagged with simple strings called tags. Operations for managing a project's tags should only be managed by system administrators and not project-level or domain-level users.

The policies that protect project tags should understand system-scope [0].

[0] https://opendev.org/openstack/keystone/src/commit/18e0080af3dcc0a96ff5d98aeb5f517080a35fb2/keystone/common/policies/project.py#L147-L210

Tags: Edit Tag help

Lance Bragstad (lbragstad) on 2019-09-16

tags:

added: policy system-scope

Colleen Murphy (krinkle) on 2019-09-16

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → train-rc1

Lance Bragstad (lbragstad) on 2019-09-18

Changed in keystone:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2019-09-18

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-09-18:

Patch in review: https://review.opendev.org/#/c/682503/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-20: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/682503
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8e67249d5bfb07b0a236189f62b3f338532f0df0
Submitter: Zuul
Branch: master

commit 8e67249d5bfb07b0a236189f62b3f338532f0df0
Author: Lance Bragstad <email address hidden>
Date: Mon Sep 16 22:11:06 2019 +0000

Add default roles and scope checking to project tags

This commit makes it so that project tags adhere to system-scope and
also incorporates default roles into the policy checks by default.

    Change-Id: Ie36df5677a08d7d95f056f3ea00eda05e1315ea5
    Closes-Bug: 1844194
    Closes-Bug: 1844193
    Related-Bug: 1806762

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers