"admin"-ness not properly scoped

To clarify steps 1 & 2, I read this as two *different* relationships being created between User B and Project B.

First, User B is created with a default tenant of Project B. <-- This behaves as expected.
Second, User B is explicitly granted the admin role on Project B. <-- This take effect globally, regardless.

In terms of the keystone CLI, this looks like:

    keystone tenant-create --name=project-b
    keystone user-create --name=user-b --pass=secret --tenant_id=<tenant id of project b>
    keystone user-role-add --user=<user id of user b> --role=<role id of admin role> --tenant_id=<tenant id of project b>

After creating User B, I then confirmed the bug by authenticating as User B for Project B, and then successfully listing all users and tenants in the system, and then subsequently deleting User A and Project A.

Perhaps the issue here is that we need a way to define adminness that extends beyond the tenant level.

@vish: that's my thinking as well... it used to be "global" roles vs. "scoped" roles prior to the keystone redux. I missed the discussion that lead to removing that capacity (which would also be useful for the "service" users that got created), but I'm concerned that any such discussion may be too late for Essex now. :-/

One way or the other, there are definitely system-level capabilities which go beyond specific tenants that aren't currently being accounted for.

Keystone only has two levels of access, admin and public, there are no actions that are scoped to tenants or users (as we discussed before, for example, a user cannot change her own password). Ergo, if you are giving somebody a keystone admin role, that means they can do literally anything in keystone.

There are a variety of things that can be done to add more granular permissions, but right now this "bug" is invalid and is just a mis-expectation. Makes a perfectly fine feature request though: the feature request would be titled "add more granular access control to keystone" and would include a list of proposed requirements to perform certain kinds of actions, one example might be a tenant_admin that can do anything on the current tenant.

If this is a mis-expectation than it's a bug on a completely misleading interface. If a role is assigned *on a tenant* the very reasonable expectation is that it has some connection *to that tenant*.

I fail to see the purpose of connecting roles and tenants if they are not scoped.

Sounds like a Keystone question, before becoming a Nova-specific issue. removing "nova" from the affected projects, feel free to add it back if anything needs to be done on Nova side.

I believe this bug will be resolved with the proposed V3 API and the domains support there. Please review at https://docs.google.com/document/d/1s9C4EMxIZ55kZr62CKEC9ip7He_Q4_g1KRfSk9hY-Sg/edit?pli=1

With all due apologies, Thierry, this is absolutely a bug in the current Nova codebase. They have inconsistently implemented the scoping of objects as-is. Half the Nova resource APIs respect admin vs. non-admin tokens, half don't. That in and of itself has to be fixed independently of Keystone's future guidelines.

Keystone's role in this is to shape what objects should be authorized, but it does not fix an incomplete implemntation as it stands currently.

With my Horizon hat on, now, the current proposal on that table is this:

Add a splash message in the header that displays any time an "admin" user is in the Project Dashboard with a cautionary message indicating they are acting as an admin, and that there are several actions which they should be aware of as potentially causing significant problems. The splash message will be short, but will link to a longer documentation of the known problems and their origins.

Fix proposed to branch: master
Review: https://review.openstack.org/8588

Reviewed: https://review.openstack.org/8588
Committed: http://github.com/openstack/horizon/commit/41307a354581f2e2b50dfa6a7d7b88cac9f642e1
Submitter: Jenkins
Branch: master

commit 41307a354581f2e2b50dfa6a7d7b88cac9f642e1
Author: Gabriel Hurley <email address hidden>
Date: Thu Jun 14 17:50:42 2012 -0700

    Adds warning banner for admin users in project dash.

    This is a bandaid until the underlying bugs in Nova get fixed.

    Fixes bug 968696.

    Change-Id: I735453482023dabc28069a4a8796aa43001f1891

FYI, this is fixed for volumes snapshots and keypairs now.

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/11711

This has been a well known and often discussed issue in keystone ... but it's still not totally resolved. I'm hoping that we've now laid sufficient groundwork (domains, policy, etc) to properly address this soon.

In general, it is desirable to have different scopes of admins. A cloud admin is needed to create and manage domains. A domain admin is needed to create and manage users and projects for a domain. A project admin is required to manage the resources created by members of a project.

The solution is likely to be a combination of changes to the policy file and establishing conventions for the "home" domain and project for different scopes of admin.

Commit c7a5c6cf27a80ca50db9f1a1a74e8795eeefd9d1 is the start of addressing the issue: a deployment can replace the default policy file with one that is more correctly specified. However, just changing this outright will break most/all curent deployments.

My suggestion to fix this issue

The biggest problem here is “roles name is global and keystone can no differentiate foo(Admin) vs bar(Admin)“ that is why Admin on a project become is admin on keystone resources (prject,users, group….) too.

This issue is mainly due to insufficiency of role data model which is nothing but just a name and there is no way we can define same role name for different services.

Solution:
======
1. Keystone should register itself in keystone along with other services and has given some name unique service_id. (e.g. keystone or identity=100 , NOVA=110 and Swift=120) (chicken and egg problem but can be done through system bootstrap)

2. Role definition should be scoped to a service_id, so that every service can create their own role.(e.g. Admin(100), Admin(110) and Admin(120)).

3. Role definition should have some info (may be a flag like for_non_project_use_only=true) to guide role assignment logic, so that certain role can/can’t be assigned to a project. (e.g. Admin(100,true), Admin(110,false) and Admin(120,false))

4. There should be validation in role assignment based on role definition’s for_non_project_use_only filed, so that non_project roles can’t be assigned to a project.

5. Based on scoping (domain/project) Token response should return role list with service_id (e.g. [Admin(110), Admin(120)])

6. Service scoped Auth (token) request should also be provided.

7. For any keystone API calls, internal user credential (which is used to validate against policy) should have role with service_id (e.g. [Admin(110), Admin(120)])

8. Keystone policy which considers role should also add “service_id” in policy (e.g. "identity:create_project": ["role:Admin and service_id:%(100)s"])
  8.1 Note: target.service_id should be always 100 because we are operating on identity API, that means the target is controlled by identity(100) service.
  8.2 For identity:create_project API call if user have “Admin(110)” (admin role scoped to a project) wd not satisfy "role:Admin and service_id:%(100)s" policy

I mean "role definition" when I say "role name" in above comment

It seems as if we have a number of problems here:

1. Creating a role is partly implicit rather than fully explicit.
Creating a role should comprise two steps, namely:
i) Assigning permissions to the role
ii) Assigning users to the role
But in Keystone step i) is missing (at least when the admin role is created). The permissions seem to be predefined (ie. implicit). This is missing functionality in my opinion. Termie is partially correct in his posting of 2012-03-30 when he says "add more granular access control to keystone". I would go further, and say "allow administrators to set access control permissions for roles in Keystone"

2. Roles have to be linked to tenants on creation.
This is a completely spurious linking and is not needed. It serves no functional purpose as I am aware and only complicates the model for no good reason. If you want to limit the permissions of a role to only take effect for a tenant (project) then add a new parameter to a role on creation, called its scope, and add the tenant (project) in the scope field.

3. Role names are global and taken from the same flat namespace.
Role names need to become hierarchical so that different entities can define their own roles, and the name of the role is concatenated with the name of the creating entity so that we still have global role names. Use the DNS as an exemplar for how roles should be named.

David,

1 i) is based on policy.json, and is effectively decentralized throughout openstack (although keystone has it's own policy.json), which I believe satisfies termie's request.

2) Either way you're linking them to tenants/projects -- what does the alternative method buy you?

Hi Dolph

so 1 i) now fixed through Keystone's policy file. That is good

2). Roles do not need to be linked to tenants. The keystone admin role should not be as it should apply to all tenants. The scoping mechanism that we are discussing on the list will optionally scope a role to a domain, project or service at the decision of the creator. So this provides greater flexibility and is not mandatory, unlike the current mechanism which requires a project to be linked to the role on creation.

David,

2) I think the shortest path to resolve this issue is not to fundamentally change roles, but to use the current roles design and approach to assignments and simply extend them to assignments upon services:

  https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens

I believe that adding the scoping behavior of roles that you're describing would be compatible with the above, but I'd like to save that discussion for another context.

Dolph,

2) I my opinion resources (services) should be abstracted from assignments otherwise your assignments data model will be impacted whenever we invent new resource. e.g. there was a proposal for resource groups and accommodate role assignment on resource groups by changing the assignment data model.

To further support "resources (services) should be abstracted from assignments" statement. Suppose we want to segregate admin-ness at endpoint level. (e.g. userA should have admin role on East but not West Nova endpoints). We can extend assignment to model this also but for how long.

Cathing up on this bug, if I understand well, the initial issue was that there wasn't a way to grant admin-ness on a project without granting total control over all Openstack resources.

I think that this can now be achieved by defining appropriate roles and policy rules.

For instance we can create a `project_admin` role that only allows a project admin to grant the `Member` role on his own project to other users, with the following rule:
"identity:create_grant": "role:project_admin and project_id:%(target.project.id)s and 'Member':%(target.role.name)s"

Although the last condition needs the following patch, allowing to check context variables against constants during the policy enforcement phase : https://review.openstack.org/#/c/68176/

Florent: "project_admin" is a completely viable workaround today, but the issue remains that "admin" is still relatively magical compared to the way other roles are handled, as it does not respect the scope to which it's assigned.

I think there really needs to be at least three or four concepts here OOB: (I say 3 or 4 since 3 could just be a configuration of 2)

1) Tenant Admin - specific to that tenant only
2) Multi-tenant Admin - across a specific set of tenants
3) Global-Tenant Admin - Admin access to all tenants but not "system" actions (changing endpoints, making policy changes, etc.)
4) Global "System" Admin - God

Even in file-system ACLs, there is adistinction between RWX and RWX + modify ACL

I also think it would be a common use case to want to manage multiple tenants at once without having to re-authenticate to each one in turn, but that's a battle I'm sure I won't win.

Admin of one tenant can also create networks, routers and so on in other tenants, and take other actions. It might be a big risk for the security.
So I think it also affect the Neutron.

Please provide more information on what you suggest for neutron with respect to this bug.

Neutron doesn't support RBAC at the moment, but it will not be added in the scope of one bugfix, i guess.

@Eugene Nikanorov (enikanorov)
Hi Eugene, Thanks for your reply.

Indeed, I just want to make sure that whether it will be safer that the admin of the tenant can only manage the network in their own tenants. Because, there is an issue that someone thought that HEAT should allow admin to create Networks in other tenants by HEAT. And we found the issue you are working on.

So we just want to make sure the trend that "the admin scope will be limited in future", or make sure "Heat did not allow admin to create networks in other tenant will block any important Neutron functional case".
Could you help to give me some advise?

And I have one question:
If the keystone fix the issue, admin will cannot create Networks in other tenant. Is that true?

IN order to close out this bug, all of the places that policy is enforced need to be scoped. This is, I think possible today, with the4 exception of "deleting resources for a deleted project" but a patch has been proposed that should address that:

https://review.openstack.org/#/c/203852/

The other places where global admin is required today are on calls like "create cells" in Nova, where the Cell abstraction is not scoped to any project. There is an admin project specified in the authtoken section of the config file, and that can be used to scope anything that is endpoint-level instead of end-user-project level.

Making this happen will require rewriting the policy files for each of the services, to include Keystone, to make sure that the "admin" role is not used anywhere without also checking for a project scope. As such, this bug affects each of the projects equally, but it is not a Keystone specific issue to solve.

Note that fixing the scoping is dependent on

https://bugs.launchpad.net/keystone/+bug/1476264

As that seems to be the only reason we currently need a global admin.

For other operations that do not have a scope on the object/API to check, policy should default to using the admin tenant configured when setting up the server in the authtoken section of the config file.

domain =default,
project = admin

That can be overridden in a production deployment, but matches what devstack currently does.

I'd like to add a few lines to cinder to allow other fields to be considered when determining admin. Currently this is only role. Though not ideal, a combination of role/user/project and or domain can be used to satisfy the is_admin functionality currently used.

Fix proposed to branch: master
Review: https://review.openstack.org/213501

Reviewed: https://review.openstack.org/213501
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=9840721b51671296816d681dbd4b9afe221f68b4
Submitter: Jenkins
Branch: master

commit 9840721b51671296816d681dbd4b9afe221f68b4
Author: Brent Roskos <email address hidden>
Date: Sun Aug 16 08:41:48 2015 -0400

    adds user_id to check_is_admin

    A small tactical update to allow cinder to consider user_id
    when checking for admin.

    This is needed in the field until the larger changes around
    admin scoping are completed. Checking for role only is not
    sufficient in a multi-domain configuration.

    juno-backport-potential
    kilo-backport-potential

    closes-bug: 968696

    Change-Id: I0cb99186bd833c4c32964490c4bc6da9ad42d320

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/217695

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/217728

Proposed solution:

1. Add a config value ADMIN_PROJECT_ID
2. In token creation, if ADMIN_PROJECT_ID is not None: only add the admin role to the token if the id of the scoped project == ADMIN_PROJECT_ID

Fix proposed to branch: master
Review: https://review.openstack.org/233480

How's the proposed solution solving the problem where 'admin' role is admin for everybody? Can we separate Nova admin from Cinder admin?

Guang, you very easily could do that with custom policy: Have a separate project for Nova and for Cinder, and list both of them in the "admin_project_ids" in Keystone. Communicating the project name or ID with Nova and CInder is out of scope for the current mechanisms.

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/233480
Reason: The Admin project needs to be added to the data used for policy enforcement. Just excluding projects will not work with existing APIs

Fix proposed to branch: master
Review: https://review.openstack.org/240719

Assigning to Kevin to look at. He did the RBAC work for networks in Liberty. Perhaps expanding the RBAC model to other Neutron resources would address what this bug is looking at.

So, a tweak on the approach proposed in Comment 39: We are still going to have an admin project specified in the Keystone config. Instead of limiting tokens with the Admin role to that project, we are going to add an extra value to tokes that are scoped to that project: is_admin_project=True.

This addresses the fact that many APIS require Admin scoped to projects, and will handle the multiple roles for managing service or endpoint specific admins as well.

Change abandoned by Alan Pevec (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/217695

This isn't related to the RBAC for networks feature in Neutron so I removed that tag. I don't have time to look at this on the Neutron side at the moment so I will un-assign myself for now.

Reviewed: https://review.openstack.org/240719
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e7023697a884759716d0a01605825a3af90d4db6
Submitter: Jenkins
Branch: master

commit e7023697a884759716d0a01605825a3af90d4db6
Author: Adam Young <email address hidden>
Date: Sun Oct 11 23:15:52 2015 -0400

    set `is_admin` on tokens for admin project

    Adds two new configuration value:

    admin_project_name
    admin_project_domain_name

    If both values are set, and tokens requested for
    projects (only, not domains) that match both will have an
    additional value in them; `is_admin_project=true`

    DocImpact
    -- Configuration changes need documentation
    APIImpact
    -- Adds optional return values in token validation calls
    SecurityImpact
    -- Should be helpful in making access control decisions

    Implements: blueprint is-admin-project
    Partial-Bug: #968696

    Change-Id: Ic9cf9862739381a30130b4be87075f726736ff88

With the above commit, we have the framework to start fixing this bug. However, we have to deal with existing deployments that expect the existing behavior.

Each of the projects needs a new version of the policy.json file that reflects the current logic, but with the added check for "is_admin_project" performed against the token. The deployment mechanism (devstack, puppet etc) needs to switch over to using the new version of the file, and also to configure the values in the Keystone config file that populate that value on tokens for the appropriate projects.

For exiting deployments, there will be some users that had admin on other-than-admi projects and the site administrators need to determine how to deal with this. Are they going to get admin on the admin project, or will they be limited to operations on the existing set of projects that no longer allow the global admin operations.

Fix proposed to branch: master
Review: https://review.openstack.org/257636

Reviewed: https://review.openstack.org/240720
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9804081a80ef815a86407a64f967986a7bf9ba25
Submitter: Jenkins
Branch: master

commit 9804081a80ef815a86407a64f967986a7bf9ba25
Author: Adam Young <email address hidden>
Date: Sun Nov 1 11:55:45 2015 -0500

    Updated Cloudsample

    Uses configuration options to determine if a token is for the admin
    project and should be granted admin privileges.

    Closes-Bug: 968696

    Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e

Change abandoned by Sean McGinnis (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/217728
Reason: This review is > 4 weeks without comment and currently blocked by a core reviewer with a -2. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and contacting the reviewer with the -2 on this review to ensure you address their concerns.

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

I feel like global admin is something we're not really treating as a bug, but as a new feature that needs to be addressed. Moving to wishlist / feature state for nova for this reason.

Please do not downgrade the importance of this bug. With Nova ignoring it, it puts all of the other projects that use the Access Info into a position where they are locked in with the global admin.

Work is actively underway to fix this.

I have a question about this specific feature (use of the is_project_admin flag in the tokens), and most of all the ability to leverage that in Keystone policy and the other service policy files.

I’m running this build:
openstack-keystone-9.0.0.0b4-0.20160304193251.9d6ab5d.el7.centos.noarch

In my keystone policy file, I did this:

  "admin_required": "role:admin and is_admin_project",
   ….
  "identity:list_domains": "rule:admin_required",

I set up the two variables (admin_project_domain_name and admin_project_name) in keystone.conf, and I can obtain a token for a user in the admin project. In the token response, I can see the is_admin_project: true flag which is good.

Somehow though, I get 403 when I try a get /v3/domains with that token.

I’m just looking to see if the code for the policies to leverage that flag is already in in build 9.0.0.0b4?

From the discussion above, it appears policy changes in the other services has not been merged yet so I'm sticking to just experimenting with Keystone's apis themselves first.

Same behavior with openstack-keystone-9.0.0.0-0.20160328140958.6639463.el7.centos.noarch

Fix proposed to branch: master
Review: https://review.openstack.org/307648

Change abandoned by Sharat Sharma (<email address hidden>) on branch: master
Review: https://review.openstack.org/307648

CONFIRMED FOR: NEWTON

According to Adam Young: http://lists.openstack.org/pipermail/openstack-dev/2016-June/097887.html

Note that the work in this bug is required to enforce policy as required by this one.

https://bugs.launchpad.net/neutron/+bug/1602081

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/380733

Change abandoned by abdul nizamuddin (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/380733

Fix proposed to branch: master
Review: https://review.openstack.org/384148

Fix proposed to branch: master
Review: https://review.openstack.org/384642

Reopening the Keystone one as the fix does not work for default policy, which is what most people use.

Untagging this from keystone m2 milestone since there is still work to be done. Adam, is there a new target you're shooting for?

Reviewed: https://review.openstack.org/384642
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=da0ea57d7e9b8254a877009e77f412684cce3754
Submitter: Jenkins
Branch: master

commit da0ea57d7e9b8254a877009e77f412684cce3754
Author: Adam Young <email address hidden>
Date: Mon Oct 10 13:41:52 2016 -0400

    Admin API policy enforcement contingent on is_admin_project

    In order for a user with the admin role to be able to perform
    administrative actions, the role must be assigned to a project
    that is deemed the "admin" project in the Keystone server. This
    prevents someone being assigned admin on some random project
    from being admin everywhere.

    Change-Id: Ic4294cc1746702c345259c64bad1e20675a7d9ab
    Closes-Bug: 968696

This issue was fixed in the openstack/cinder 10.0.0.0b2 development milestone.

I'm not sure if this is still the best place to address the issue, but despite having patched my Newton based lab with commits ca73d296bd5a16435dd35cd0818f4b0a16bc2d02 and ef48072d94f780ebaacee8c3ddf02a68193fa74d ("Fix cloud_admin rule and ensure only project tokens can be cloud admin"), a domain scoped token is still marked as "is_admin_project=True". This has the effect that some projects treat a domain scoped token with the admin role on any given domain as Cloud Admin. This is the case in Neutron for instance.

This happens because when the token is initially created the function that populates the is_admin_project property doesn't set it since it's not a project token. The problem is that "is_admin_project" then defaults to true later on (to support legacy behavior). The "is_admin_project" property function that was added to the Token class in the previously mentioned patch never seems to get called either.

Maybe I'm wrong but a quick glance of Ocata code doesn't make me think that this has changed in that release.

The following quick patch fixes it for me:

--- keystone/token/providers/common.py.orig 2017-03-01 21:09:57.221278528 +0000
+++ keystone/token/providers/common.py 2017-03-01 21:09:51.134244716 +0000
@@ -315,11 +315,15 @@
         if not (admin_project_name and admin_project_domain_name):
             return # admin project not enabled

- project = token_data['project']
-
- token_data['is_admin_project'] = (
- project['name'] == admin_project_name and
- project['domain']['name'] == admin_project_domain_name)
+ # Since 'is_admin_project' only supported for project scoped tokens,
+ # return False if not project scoped
+ if 'project' in token_data:
+ project = token_data['project']
+ token_data['is_admin_project'] = (
+ project['name'] == admin_project_name and
+ project['domain']['name'] == admin_project_domain_name)
+ else:
+ token_data['is_admin_project'] = False

     def _get_roles_for_user(self, user_id, domain_id, project_id):
         roles = []
@@ -576,8 +580,7 @@
             token_data['bind'] = bind

         self._populate_scope(token_data, domain_id, project_id)
- if token_data.get('project'):
- self._populate_is_admin_project(token_data)
+ self._populate_is_admin_project(token_data)
         self._populate_user(token_data, user_id, trust)
         self._populate_roles(token_data, user_id, domain_id, project_id, trust,
                              access_token)

Sorry for patch formatting is my previous comment. Seems Launchpad mangles spaces. Patch attached instead.

Another issue which is orthogonal to the previous one is that despite having added the following patch to Neutron, 2e621eeb1cdfae5ceb3c83eb6befcb954f0b6cec(*) ("Use to_policy_values for policy enforcement"), Neutron completely ignores the "is_admin_project" value set in the token.

This is because neutron-server builds the request context differently than other projects. Instead of using "from_environ" in oslo_context, it does it itself in it's "NeutronKeystoneContext" class.

The fix is to tell it to look at the X_IS_ADMIN_PROJECT header.

Patch attached.

* https://github.com/openstack/neutron/commit/2e621eeb1cdfae5ceb3c83eb6befcb954f0b6cec

The Neutron bug bug above is likely addressed by: https://review.openstack.org/#/c/448538/

Comment #72 should be addressed by https://review.openstack.org/#/c/438035/

Marc FYI, the change you linked in comment 77 was a mistake and is in the process of being reverted.

Fix proposed to branch: master
Review: https://review.openstack.org/464009

Reviewed: https://review.openstack.org/464009
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4a82ab9065a659bbcb838240da113a0509f651aa
Submitter: Jenkins
Branch: master

commit 4a82ab9065a659bbcb838240da113a0509f651aa
Author: Gage Hugo <email address hidden>
Date: Thu May 11 10:34:26 2017 -0400

    Revert change 438035 is_admin_project default

    This change reverts having is_admin_project default to False [0]
    since we currently need to have it revert to True in order to
    account for anyone who has not configured an admin project. This
    will be truely fixed at a later date.

    This also adds comments from another change [1] which clarifies
    the for why this should not be changed at this moment.

    [0] https://review.openstack.org/#/c/438035/
    [1] https://review.openstack.org/#/c/257636/

    Partial-Bug: 968696

    Change-Id: I039bfc8a41d43634ebad545725b9188a82afb990
    Co-Authored-By: Adam Young <email address hidden>
    Co-Authored-By: Matthew Edmonds <email address hidden>

setting this to "Wishlist" Nova is, essentially, blocking fixing this issue for all the projects in OpenStack.

Just catching up on this bug since I wasn't subscribed to emails.

Since the patch mentioned in comment 77 was reverted, am I wrong to believe that the patch I attached in comment 74 is still required?

https://bugs.launchpad.net/nova/+bug/1649532 is another example of this

Fix proposed to branch: master
Review: https://review.openstack.org/520845

Fix proposed to branch: master
Review: https://review.openstack.org/525772

Fix proposed to branch: master
Review: https://review.openstack.org/553612

Related fix proposed to branch: master
Review: https://review.openstack.org/553613

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/384148
Reason: To avoid confusing people, I am going to abandon this patch. I've kept it around until the System-Role approach showed it had traction and was going to replace it, but now it is causing confusion. I greatly appreciate the +2, but its a bout 14 months too late.

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/520845
Reason: Abandoning in favor of Session scope

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/384655
Reason: Abandoning in favor of Session scope.

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/257636
Reason: Abandoning in favor of session scope

Fix proposed to branch: master
Review: https://review.openstack.org/605485

Fix proposed to branch: master
Review: https://review.openstack.org/605849

Fix proposed to branch: master
Review: https://review.openstack.org/605850

Fix proposed to branch: master
Review: https://review.openstack.org/605851

Related fix proposed to branch: master
Review: https://review.openstack.org/605871

Fix proposed to branch: master
Review: https://review.openstack.org/611179

Reviewed: https://review.openstack.org/594547
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=239bed09a922d6076711ca5c112be6299fa0f0bb
Submitter: Zuul
Branch: master

commit 239bed09a922d6076711ca5c112be6299fa0f0bb
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 21 20:41:38 2018 +0000

    Implement scope_type checking for credentials

    This change adds tests cases for the default roles keystone
    supports at install time. It also modifies the policies for the
    credentials API to be more self-service by properly checking
    for various scopes.

    Closes-Bug: 1788415
    Partial-Bug: 968696

    Change-Id: Ifedb7798c96930b6cc0f91159a14a21ac4b02f9f

Fix proposed to branch: master
Review: https://review.openstack.org/623317

Fix proposed to branch: master
Review: https://review.openstack.org/623318

Fix proposed to branch: master
Review: https://review.openstack.org/623319

Fix proposed to branch: master
Review: https://review.openstack.org/623320

Fix proposed to branch: master
Review: https://review.openstack.org/623321

Related fix proposed to branch: master
Review: https://review.openstack.org/623322

Fix proposed to branch: master
Review: https://review.openstack.org/623334

Related fix proposed to branch: master
Review: https://review.openstack.org/624221

Reviewed: https://review.openstack.org/623334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e8849561bb05f52379531bfc69da8c348f97b28
Submitter: Zuul
Branch: master

commit 9e8849561bb05f52379531bfc69da8c348f97b28
Author: Lance Bragstad <email address hidden>
Date: Wed Sep 26 16:47:39 2018 +0000

    Implement system reader role in domains API

    This commit introduces the system reader role to the API, making it
    easier for administrators to delegate subsets of responsibilities to
    the API by default.

    Subsequent patches will include domain support for:

      - system members test coverage
      - system admins functionality
      - domain user test coverage
      - project user test coverage

    Change-Id: I2e0a5de931049627e6ceb48b1c0e44205f3388e1
    Partial-Bug: 1794376
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/605849
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d5a57414b4d69d5c10e767a94795deb0bc003612
Submitter: Zuul
Branch: master

commit d5a57414b4d69d5c10e767a94795deb0bc003612
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 18:15:48 2018 +0000

    Implement system member role domain test coverage

    This commit introduces the system member role to the API, making sure
    system members can execute readable operations, leaving writable
    domain operations to system administrators.

    Subsequent patches will include domain support for:

      - system admin functionality
      - domain user test coverage
      - project user test coverage

    Change-Id: I1d21ba562b007b43fc36a7a2010d35591ca3bae5
    Partial-Bug: 1794376
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/605850
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7fa424f1de1ac29c2d34d02cae04b845df5837b1
Submitter: Zuul
Branch: master

commit 7fa424f1de1ac29c2d34d02cae04b845df5837b1
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 18:26:48 2018 +0000

    Implement system admin role in domains API

    This commit introduces the system admin role to the API, making it
    consistent with other system-admin policy definitions.

    Subsequent patches will include domain support for:

      - domain user test coverage
      - project user test coverage

    Change-Id: Ic9a789dc3f34d9735de3b4bc4bd48b41190cbfba
    Closes-Bug: 1794376
    Partial-Bug: 968696

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/611179
Reason: This has been broken into a more reviewable series, starting here [0].

[0] https://review.openstack.org/#/c/605485/15

Related fix proposed to branch: master
Review: https://review.openstack.org/625732

Related fix proposed to branch: master
Review: https://review.openstack.org/625733

Related fix proposed to branch: master
Review: https://review.openstack.org/625734

Reviewed: https://review.openstack.org/605851
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Submitter: Zuul
Branch: master

commit 1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 19:12:20 2018 +0000

    Allow domain users to access the GET domain API

    This change updates the policy for identity:get_domains to allow
    users with role assignments on a domain to fetch the domain. As long
    as they call the API with a domain scoped token, they should be
    authorized to retrieve the domain. Subsequent patches will do the
    same for project users.

    Change-Id: I83a9b8af775580d36a1141be55e9c1cc283a75b6
    Partial-Bug: 1794864
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/605871
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c8f81af62cd03601fca259647991d5dd7f8d560
Submitter: Zuul
Branch: master

commit 2c8f81af62cd03601fca259647991d5dd7f8d560
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 21:51:12 2018 +0000

    Allow project users to retrieve domains

    This commit adds thorough testing to make sure users who have a role
    on a project can use project-scoped tokens to call GET
    /v3/domain/{domain_id} for the domain own their project. These users
    are not allowed to access domains that they don't have any
    authorization via project role assignments.

    This ensures the domains API is tested with these cases and makes the
    domains API more self-serviceable for users that are not
    administrators.

    Change-Id: Ifc100a7a235140fbd07cbafe80983d3c2f17a7dc
    Closes-Bug: 1794864
    Related-Bug: 968696

Reviewed: https://review.openstack.org/605485
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=40d3458fcb29df1daefce9455d1778e800cac378
Submitter: Zuul
Branch: master

commit 40d3458fcb29df1daefce9455d1778e800cac378
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:39:56 2018 +0000

    Implement system reader role for users

    This commit introduces the system reader role to the users API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own user reference.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: I9c362e515772540dfa93d05781d955009b9a154d
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623317
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f724f2d9387dc83148dada41a0f9acb294026c2
Submitter: Zuul
Branch: master

commit 4f724f2d9387dc83148dada41a0f9acb294026c2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:48:36 2018 +0000

    Implement system member role user test coverage

    This commit introduces explicit test coverage for system members,
    making sure they are allowed to do readable and not writable user
    operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality
      - project user test coverage

    Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
    Partial-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623318
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Submitter: Zuul
Branch: master

commit 29fb7ae3952138ec05fd2434fe9cf5eccc8205f0
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 19:59:36 2018 +0000

    Implement system admin role in users API

    This commit introduces the system admin role to the users API,
    making it consistent with other system-admin policy definitions.

    Subsequent patches will build on this work to expose more
    functionality to domain and project users:

     - domain reader functionality
     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I19bf5a562401100d9208f98515ce596f7ca20185
    Closes-Bug: 1805406
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/625732
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=feb0d58df4ce4531d3e381c24385a531d164ee2a
Submitter: Zuul
Branch: master

commit feb0d58df4ce4531d3e381c24385a531d164ee2a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:40:04 2018 +0000

    Implement system reader role for groups

    This commit introduces the system reader role to the group API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own group memberships, which
    encapsulates a bunch of tests for what regular project users can do
    with groups.

    Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: I24ff27da79bb01322e05c6d8cd37f02693fd5b9f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Reviewed: https://review.openstack.org/625733
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Submitter: Zuul
Branch: master

commit f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:43:21 2018 +0000

    Implement system member test coverage for groups

    This commit introduces explicity test coverage for system members,
    making sure they are allowed to perform readable and not writable
    group operations.

    Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ie22a18ac7b243089509001fda930474f55e29d3f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Reviewed: https://review.openstack.org/625734
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f62f73c548d7a1cb4fe557e457a49d77322968c4
Submitter: Zuul
Branch: master

commit f62f73c548d7a1cb4fe557e457a49d77322968c4
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 23:05:08 2018 +0000

    Implement system admin role in groups API

    The commit introduces the system admin role to the group API, making
    it consistent with other system-admin policy definitions.

    Subsequent patches will incorporate:

      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ib0ff05396bed2bfefefa712491aeb0b9b5f2c1d0
    Related-Bug: 968696
    Related-Bug: 1808859
    Closes-Bug: 1805369

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/624221
Reason: Abandoning this patch since most of the work done here was pulled forward to the system-reader patch.

https://review.openstack.org/#/c/624215/5

Reviewed: https://review.openstack.org/623319
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bc217b316e13942cb7f4fc742be988d27bd32aa2
Submitter: Zuul
Branch: master

commit bc217b316e13942cb7f4fc742be988d27bd32aa2
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

    Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623320
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9ca599e50610fadc60e1b05c1af37044916575c5
Submitter: Zuul
Branch: master

commit 9ca599e50610fadc60e1b05c1af37044916575c5
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

    Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623321
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf1ce4eb36393cedadb2de2aeba8140c65e09775
Submitter: Zuul
Branch: master

commit cf1ce4eb36393cedadb2de2aeba8140c65e09775
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

    Implement domain admin functionality for user API

    This commit add explicit testing to show how users with the admin role
    on a domain can manage users within thier domain. It also modifies the
    default policies to account for this functionality. A subsequent patch
    will do the same for project users.

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/623322
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9e07a940dc6d197709f5a66c8e4ff203d388da1
Submitter: Zuul
Branch: master

commit f9e07a940dc6d197709f5a66c8e4ff203d388da1
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

    Add explicit testing for project users and the user API

    This commit wraps up the user API policy refactor by adding explicit
    testing for how project users are expected to behave with the user
    API. A subsequent patch set will remove the now obsolete user policies
    in policy.v3cloudsample.json.

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647548

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647549

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/647550

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/647551

Related fix proposed to branch: master
Review: https://review.openstack.org/647737

Reviewed: https://review.openstack.org/647548
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=69868c6bfdeca737ea7c48057beb3b657e14091b
Submitter: Zuul
Branch: stable/stein

commit 69868c6bfdeca737ea7c48057beb3b657e14091b
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:21:28 2018 +0000

    Implement domain reader functionality for user API

    This commit adds explicit testing for how users with the reader role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain member test coverage
     - domain admin functionality
     - project user test coverage

    Change-Id: I09f520aaed9560541d183ac83a1a7241d8d0d2f1
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit bc217b316e13942cb7f4fc742be988d27bd32aa2)

Reviewed: https://review.openstack.org/647549
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dd6da4cd459d330dc2feb017c470da321604784a
Submitter: Zuul
Branch: stable/stein

commit dd6da4cd459d330dc2feb017c470da321604784a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:31:08 2018 +0000

    Implement domain member functionality for user API

    This commit adds explicit testing for how users with the member role
    on a domain should interact with users both inside and outside of
    the domain they have authroization on.

    Subsequent patches will continue to build on this by incorporating:

     - domain admin functionality
     - project user test coverage

    Change-Id: I2a75f49e953c0c6fbe2de6da7b40faaa208f953d
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit 9ca599e50610fadc60e1b05c1af37044916575c5)

Reviewed: https://review.openstack.org/647550
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Submitter: Zuul
Branch: stable/stein

commit a5fbec6a091afe28d04bfdb331a56aa14d6e7ff3
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 20:50:28 2018 +0000

    Implement domain admin functionality for user API

    This commit add explicit testing to show how users with the admin role
    on a domain can manage users within thier domain. It also modifies the
    default policies to account for this functionality. A subsequent patch
    will do the same for project users.

    Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
    Partial-Bug: 1748027
    Partial-Bug: 968696
    (cherry picked from commit cf1ce4eb36393cedadb2de2aeba8140c65e09775)

Reviewed: https://review.openstack.org/647551
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Submitter: Zuul
Branch: stable/stein

commit 8da74c1756d5c8ce7a33cb3f18d45d2d7c7bc63a
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:01:14 2018 +0000

    Add explicit testing for project users and the user API

    This commit wraps up the user API policy refactor by adding explicit
    testing for how project users are expected to behave with the user
    API. A subsequent patch set will remove the now obsolete user policies
    in policy.v3cloudsample.json.

    Change-Id: Ic7b0839ac70439aa0311a98c6b7b5688a7e2dcf7
    Closes-Bug: 1748027
    Related-Bug: 968696
    (cherry picked from commit f9e07a940dc6d197709f5a66c8e4ff203d388da1)

Reviewed: https://review.openstack.org/647737
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=60e0f00326ee41968730f9d72fc77cab26af3d9f
Submitter: Zuul
Branch: master

commit 60e0f00326ee41968730f9d72fc77cab26af3d9f
Author: Colleen Murphy <email address hidden>
Date: Tue Mar 26 14:40:00 2019 +0100

    Add release prelude about changing policies

    This change adds a prelude to the release notes to inform operators
    about the changing policy defaults and how to handle them, since these
    are going to be quite a big change and cause a lot of log warnings.

    Change-Id: If067866daa8abbe41027018c260a3e01bddbb92f
    Related-bug: #968696

Related fix proposed to branch: stable/stein
Review: https://review.openstack.org/648819

Reviewed: https://review.openstack.org/643937
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=be452fee80fabe252b2dae3be76c1d46fdd857e4
Submitter: Zuul
Branch: master

commit be452fee80fabe252b2dae3be76c1d46fdd857e4
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 18 14:20:15 2019 +0100

    Add domain scope support for group policies

    This commit adds support for the domain scope type for the group API
    policies. It defines appropriate policies for the reader, member, and
    admin role and adds tests for each case.

    Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
    Closes-bug: #1808859
    Partial-Bug: #968696

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/648995

Reviewed: https://review.openstack.org/648819
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2727e837d94aa937c9bb5fe68c006a86d4ee0bc7
Submitter: Zuul
Branch: stable/stein

commit 2727e837d94aa937c9bb5fe68c006a86d4ee0bc7
Author: Colleen Murphy <email address hidden>
Date: Tue Mar 26 14:40:00 2019 +0100

    Add release prelude about changing policies

    This change adds a prelude to the release notes to inform operators
    about the changing policy defaults and how to handle them, since these
    are going to be quite a big change and cause a lot of log warnings.

    Change-Id: If067866daa8abbe41027018c260a3e01bddbb92f
    Related-bug: #968696
    (cherry picked from commit 60e0f00326ee41968730f9d72fc77cab26af3d9f)

Reviewed: https://review.openstack.org/648995
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c00a6974e35057fd924060fee3d36e6a91fcf95
Submitter: Zuul
Branch: stable/stein

commit 2c00a6974e35057fd924060fee3d36e6a91fcf95
Author: Colleen Murphy <email address hidden>
Date: Mon Mar 18 14:20:15 2019 +0100

    Add domain scope support for group policies

    This commit adds support for the domain scope type for the group API
    policies. It defines appropriate policies for the reader, member, and
    admin role and adds tests for each case.

    Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
    Closes-bug: #1808859
    Partial-Bug: #968696
    (cherry picked from commit be452fee80fabe252b2dae3be76c1d46fdd857e4)

Related fix proposed to branch: master
Review: https://review.opendev.org/677004

Reviewed: https://review.opendev.org/676847
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ea7acd80362e27c44a299c70504c21fdc7953e21
Submitter: Zuul
Branch: master

commit ea7acd80362e27c44a299c70504c21fdc7953e21
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 15 18:39:41 2019 -0700

    Implement system reader role for trusts API

    Currently, the trusts API only allows the "project" scope type, and
    moreover inconsistently enforces different actions based on admin status
    or trustor/trustee relationship: for example, an "admin" can list all
    trusts but not filter by trustor or trustee and cannot get details for a
    single trust, not can they list or get trust roles. This patch changes
    the behavior of the trusts API to allow a system reader to list and get
    details for trusts and trust roles, where previously only a trustor or
    trustee could do so. This helps make the different actions in the trusts
    API consistent with one another and makes the API more useful to a
    deployment auditor. A subsequent patch will add system admin
    functionality.

    This change does not use the oslo.policy deprecation feature for the
    'identity:list_trusts_for_trustor' or 'identity:list_trusts_for_trustee'
    policies as those are new policies introduced in 7717ed3.

    Change-Id: I4e1482643e18fd46e937ffae8b3623cea2d2dd62
    Partial-bug: #1818850
    Partial-bug: #1818846
    Related-Bug: #968696

Reviewed: https://review.opendev.org/676995
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6aebf179b8b1b48909ea57666f61bbc080bd6888
Submitter: Zuul
Branch: master

commit 6aebf179b8b1b48909ea57666f61bbc080bd6888
Author: Colleen Murphy <email address hidden>
Date: Fri Aug 16 10:38:43 2019 -0700

    Add tests for system member for trusts

    For trusts, a system member is essentially the same as a system reader:
    system members should not be able to create or delete trusts. This
    change adds tests to assert that, but no policy changes are required to
    account for the member role.

    Change-Id: I0acd55f4428708430740bf2c305f664e199dd304
    Partial-bug: #1818846
    Related-Bug: #968696

Reviewed: https://review.opendev.org/677004
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9be1caff97355099d25170fe390dd15d6f592d56
Submitter: Zuul
Branch: master

commit 9be1caff97355099d25170fe390dd15d6f592d56
Author: Colleen Murphy <email address hidden>
Date: Fri Aug 16 11:14:16 2019 -0700

    Implement system admin for trusts API

    This change enables a system admin to delete trusts. Previously, only
    the trustor or the is_admin admin could delete a trust. This changes
    makes the trusts API more useful to system administrators who need to
    clean up trusts and makes the API consistent with others.

    This does not enable system admins to create trusts. A trust can only be
    scoped to a project, so creating one is inherently a project-scoped
    action. If trusts later gain the ability to be scoped to the system or
    domains, we can add those scopes to the create_trust scope_types.

    Change-Id: Idf13b862f345388bb2372609787947eb43d7ba75
    Closes-bug: #1818846
    Closes-bug: #1818850
    Related-Bug: #968696

I want to provide a holistic view of the work keystone has done to fix this issue.

We fixed this by consuming scope-types [0] and implementing a unified approach to default roles [1]. We also audited our API and separated system-specific APIs from APIs intended for project and domain users. We updated our default policies to reflect intended usage and tracked everything in separate and smaller bug reports [2][3].

As of the Train release keystone supports nine role and scope combinations by default. These roles and scopes give system, domain, and project users support for "reader," "member," and "admin" functionality.

We plan to document all the APIs these personas can access in keystone. We also plan to graduate our API testing to Tempest in some way, shape, or form. This will make it easier for projects to leverage testing utilities if they take the same approach we did.

Everything keystone used to develop this functionality is available for other projects. Mainly, oslo.context, oslo.policy, and keystonemiddleware know how to expose all authorization information necessary to fix this issue. Developers can feel free to reuse the approach keystone used and reference keystone as an example.

[0] https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes
[1] https://docs.openstack.org/keystone/latest/contributor/services.html#how-do-i-incorporate-authorization-scopes-into-a-service
[2] https://tinyurl.com/y4sdg67r
[3] https://tinyurl.com/y6gd46rt

Change abandoned by Stephen Finucane (<email address hidden>) on branch: master
Review: https://review.opendev.org/553612
Reason: I'm going to go out on a limb and assume this has stalled and can be abandoned

Change abandoned by Stephen Finucane (<email address hidden>) on branch: master
Review: https://review.opendev.org/553613
Reason: One of the patches this depends on has been abandoned and this is failing tests, so I'm going to abandon this in turn. If it's still valid, can you please re-open and update as necessary?

Change abandoned by Balazs Gibizer (<email address hidden>) on branch: master
Review: https://review.opendev.org/525772
Reason: This is a pretty old patch with failing tests. Feel free to restore it (or ask gibi on irc to restore it) if you still working on it.

We discussed this topic with system-scope in the Xena PTG last week with glance. Right now, the only really applicable system-scope API for glance is publicize_image (and possibly the metadef API).

Glance is writing up a specification that details the work for a refactor to make adopting system-scope easier and we're targeting that for Xena.

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/311203
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

Reopoend for Nova since the fix using System Roles seems to have been rejected. The older solution, using Admin_project would deal with the fact that the Nova API requires a project ID on the APIs in question.

If it is not fixed in Nova it is not fixed in Keystone, as the solution has to start there.