Role assignment API doesn't prune system roles when querying role.id={role_id}
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lance Bragstad | ||
Queens |
Fix Committed
|
High
|
Lance Bragstad | ||
tempest |
Invalid
|
Undecided
|
Unassigned |
Bug Description
During the Queens release, keystone added support for a new scope type called system. This extended the support for users and groups to not only have roles on projects and domains, but also on a different entity called the "system". This is an effort to make RBAC support more flexible and robust, in a way to isolate system administrative APIs from project or end-user APIs.
During keystone's boostrapping process, it attempts to setup an administrator for the deployment. To be backwards compatible, the implementation for system scope included a patch to ensure the admin user not only had authorization on at least one project, but also the system [0]. This makes it so that new and old installations are guaranteed an administrative user for all APIs by running an idempotent operation. Otherwise it would be possible for an administrative user to lock themselves out of system-level APIs if they opt into enforcing scope without having at least one system administrator.
The patch to add this functionality is currently failing tempest [0], even though tempest doesn't know anything about system role assignments or requesting system scoped tokens. Opening this bug so that we can investigate tempest and understand how adding a separate role assignment is resulting 401 Authorized responses during tempest tests.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: queens-backport-potential |
summary: |
- bootstrapping system administrator causes issues with tempest + Role assignment API doesn't prune system roles when querying + role.id={role_id} |
Changed in tempest: | |
status: | New → Invalid |
Changed in keystone: | |
milestone: | none → queens-rc2 |
no longer affects: | keystone/trunk |
Related fix proposed to branch: master /review. openstack. org/543622
Review: https:/