tempest

Add domain_id config option to remove the need of cloud admin user when generating dynamic credentials

Bug #2028409 reported by Tianqi Xiao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Unassigned
tempest
In Progress
Undecided
Tianqi Xiao

Bug Description

Currently generating dynamic credentials requires listing domains and filter the result by domain name to get the current/admin domain object from Keystone API (through `/v3/domains` API). And as stated in the default keystone policy, listing domains requires cloud_admin privilege, which means we cannot use a domain admin to create test accounts with tempest.

```
"identity:list_domains": "rule:cloud_admin",
```

A better behavior would be using `/v3/domains/{domain_id}` API to get the domain object directly so that only a domain admin user is needed to generate test accounts. The benefit of reducing required user privileges is isolating test environment. This requires adding an additional domain_id configuration option in [auth] section.

Tianqi Xiao (txiao)
Changed in tempest:
assignee: nobody → Tianqi Xiao (txiao)
Revision history for this message
Tianqi Xiao (txiao) wrote :

Related fix proposed to the tempest repo: https://review.opendev.org/c/openstack/tempest/+/889664

Andrea Ieri (aieri)
Changed in tempest:
status: New → In Progress
Revision history for this message
Lukas Piwowarski (lukas-piwowarski) wrote :

Isn't the default policy for listing domains now? -> identity:list_domains: role:reader and system_scope:all

[1] https://docs.openstack.org/keystone/latest/configuration/samples/policy-yaml.html

Revision history for this message
Tianqi Xiao (txiao) wrote :

@lukas-piwowarski Actually, even newer releases of charm-keystone is rendering policy.json from the rocky template[1], which contains `"identity:list_domains": "rule:cloud_admin",`.

Here [2] is the log showing this behavior on yoga/stable charm-keystone.

I'n not sure if this is a bug in charm-keystone or an intended behavior. I will contact charmed openstack team to learn more about this.

[1]: https://opendev.org/openstack/charm-keystone/src/branch/master/templates/rocky/policy.json
[2]: https://paste.ubuntu.com/p/QyWFvFd8Kn/

Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

default policy for list domain is not cloud_admin (as Lukas mentioned) but it is also not system reader. project admin also should work
- https://github.com/openstack/keystone/blob/02bbc665c415a5407e0f24ebd34433b2a64dd80f/keystone/common/policies/domain.py#L24

system reader is there as new default but as we removed the system scope form all the services then I need to make list domain (all keystone policies) to allow for system reader + project admin.

Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

I think fix need to be done at charm-keystone in their policy file. it is working fine for default policy where project admin should be able to list the domain and the tempest use it. I am not sure what is cloud_admin and what all permissions it has but Tempest meant to be working for default policy only.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tempest (master)

Change abandoned by "Tianqi Xiao <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tempest/+/889664
Reason: Confirmed that proper domain separation can be achieved with upstream keystone policy. Therefore, I agree the proper fix would be updating Charmed Openstack policies.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.