OpenStack Identity (keystone)

`keystone-manage bootstrap` doesn't handle system role assignments

  1. Series queens
  2. Bug #1749268
Bug #1749268 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) rocky-1
Queens
Fix Committed
High
Lance Bragstad
OpenStack Identity (keystone) queens-rc2

Bug Description

The whole purpose of the `keystone-manage bootstrap` command is to help operators establish an admin account they can use to administer the rest of the deployment. It does this by granting the admin user in the bootstrap command an admin role on a project [0].

A system role assignment should also be created so that operators don't lock themselves out of APIs if they set enabled_scope=True in configuration but don't actually have a user with any system role assignments.

[0] https://github.com/openstack/keystone/blob/69b8815d046c4eb0164070976e4351b81a15a0e2/keystone/cmd/cli.py#L283-L293

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → queens-rc2
importance: Undecided → High
status: New → Triaged
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Lance Bragstad (lbragstad)
tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544097

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/530410
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3c524e6491c1b35a2f8413ebe046c238bf530d71
Submitter: Zuul
Branch: master

commit 3c524e6491c1b35a2f8413ebe046c238bf530d71
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 28 22:11:32 2017 +0000

    Grant admin a role on the system during bootstrap

    Now that we have system scope in place, we should make sure at least
    one user has a role assignment on the system. We can do this at the
    same time we grant the user a role on a project during bootstrap.

    This is backwards compatible because even if a deployment doesn't use
    system-scope, the assignment will just sit there. The deployment will
    have to opt into enforcing scope by updating configuration options
    for oslo.policy to enforce scoping.

    This shouldn't prevent deployments from fixing bug 968696 and using
    system scope.

    Closes-Bug: 1749268

    Change-Id: I6b7196a28867d9a699716c8fef2609d608a5b2a2

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: queens-rc2 → rocky-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/queens)

Reviewed: https://review.openstack.org/544097
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ddd7ff300e9159899f27a27fb3dda8ef9b91be1f
Submitter: Zuul
Branch: stable/queens

commit ddd7ff300e9159899f27a27fb3dda8ef9b91be1f
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 28 22:11:32 2017 +0000

    Grant admin a role on the system during bootstrap

    Now that we have system scope in place, we should make sure at least
    one user has a role assignment on the system. We can do this at the
    same time we grant the user a role on a project during bootstrap.

    This is backwards compatible because even if a deployment doesn't use
    system-scope, the assignment will just sit there. The deployment will
    have to opt into enforcing scope by updating configuration options
    for oslo.policy to enforce scoping.

    This shouldn't prevent deployments from fixing bug 968696 and using
    system scope.

    Closes-Bug: 1749268

    Change-Id: I6b7196a28867d9a699716c8fef2609d608a5b2a2
    (cherry picked from commit 3c524e6491c1b35a2f8413ebe046c238bf530d71)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 13.0.0.0rc2

This issue was fixed in the openstack/keystone 13.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.0.0.0b1

This issue was fixed in the openstack/keystone 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.