OpenStack Identity (keystone)

Domain admin can't view roles while it can manage domain/project roles

Bug #2059780 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Takashi Kajinami

Bug Description

Currently when scope is enforced, domain admin is allowed to manage role assignments for project or domain but domain admin can't view roles

To allow domain admin to actually manipulate role assignments, keystone should allow domain admin to view roles.

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/914759

Changed in keystone:
status: New → In Progress
Takashi Kajinami (kajinamit)
Changed in keystone:
assignee: nobody → Takashi Kajinami (kajinamit)
description: updated
description: updated
Revision history for this message
Takashi Kajinami (kajinamit) wrote (last edit ): Re: Domain admin can't view roles while it can mangage domain/project roles
Download full text (4.0 KiB)

Currently some resources in heat can't be created when
 - enforce_new_default and enforce_scope are both True in keystone.
and
 - dedicated domain (which is configured by stack_user_domain_id/name) is used for heat template-defined users

Heat attempts to create a user within the stack domain for notifications but the process to create the user fails because heat can't list roles with domain admin credential.

```
pr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource Traceback (most recent call last):
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 922, in _action_recorder
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 1034, in _do_action
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield from self.action_handler_task(action, args=handler_args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 976, in action_handler_task
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource handler_data = handler(*args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/openstack/heat/scaling_policy.py", line 127, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource super(AutoScalingPolicy, self).handle_create()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 30, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource self._create_user()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 44, in _create_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource user_id = self.keystone().create_stack_domain_user(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource stack_user_role = self.domain_admin_client.roles.list(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resour...

Read more...

Goutham Pacha Ravi (gouthamr)
summary: - Domain admin can't view roles while it can mangage domain/project roles
+ Domain admin can't view roles while it can manage domain/project roles
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/914759
Committed: https://opendev.org/openstack/keystone/commit/522627de3c66113d03019122735cdfc3e0d245c8
Submitter: "Zuul (22348)"
Branch: master

commit 522627de3c66113d03019122735cdfc3e0d245c8
Author: Takashi Kajinami <email address hidden>
Date: Fri Mar 29 23:32:48 2024 +0900

    Allow domain admin to view roles

    Domain admins are allowed to assign roles. So it should be allowed to
    view roles.

    Note that protection job is made non-voting until the domain admin role
    test cases are updated.

    Closes-Bug: #2059780
    Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/keystone/+/918655

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/2024.1)

Change abandoned by "David Wilde <email address hidden>" on branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/keystone/+/918655

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/918655
Committed: https://opendev.org/openstack/keystone/commit/d42607e113d7ec7ee7498cc1a387bd448206d80a
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit d42607e113d7ec7ee7498cc1a387bd448206d80a
Author: Takashi Kajinami <email address hidden>
Date: Fri Mar 29 23:32:48 2024 +0900

    Allow domain admin to view roles

    Domain admins are allowed to assign roles. So it should be allowed to
    view roles.

    Note that protection job is made non-voting until the domain admin role
    test cases are updated.

    Closes-Bug: #2059780
    Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
    (cherry picked from commit 522627de3c66113d03019122735cdfc3e0d245c8)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/keystone/+/919520

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/919520
Committed: https://opendev.org/openstack/keystone/commit/f519bcedfb36577ead060208a23e5295cead3d44
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit f519bcedfb36577ead060208a23e5295cead3d44
Author: Takashi Kajinami <email address hidden>
Date: Fri Mar 29 23:32:48 2024 +0900

    Allow domain admin to view roles

    Domain admins are allowed to assign roles. So it should be allowed to
    view roles.

    Note that protection job is made non-voting until the domain admin role
    test cases are updated.

    Closes-Bug: #2059780
    Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
    (cherry picked from commit 522627de3c66113d03019122735cdfc3e0d245c8)
    (cherry picked from commit d42607e113d7ec7ee7498cc1a387bd448206d80a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/keystone/+/919650

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/919650
Committed: https://opendev.org/openstack/keystone/commit/b6c20d912bf15158ee6580bfee4fc1ad4f0c2458
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit b6c20d912bf15158ee6580bfee4fc1ad4f0c2458
Author: Takashi Kajinami <email address hidden>
Date: Fri Mar 29 23:32:48 2024 +0900

    Allow domain admin to view roles

    Domain admins are allowed to assign roles. So it should be allowed to
    view roles.

    Note that protection job is made non-voting until the domain admin role
    test cases are updated.

    Closes-Bug: #2059780
    Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
    (cherry picked from commit 522627de3c66113d03019122735cdfc3e0d245c8)
    (cherry picked from commit d42607e113d7ec7ee7498cc1a387bd448206d80a)
    (cherry picked from commit f519bcedfb36577ead060208a23e5295cead3d44)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.