From rocky keystone is bootstrapped with a 'member' ; CephRgw used to allow 'Member' instead

Bug #1847539 reported by Giulio Fidente on 2019-10-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Giulio Fidente

Bug Description

With the implementation of the keystone blueprint basic-default-roles [1] in rocky, a role called 'member' is created in keystone by default.

Before rocky instead, the role was created after keystone started and used to be named 'Member'.

CephRgw is whitelisting the roles which allowed to create content and it used to only permits access to admin and Member

1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

Fix proposed to branch: master
Review: https://review.opendev.org/687680

Changed in tripleo:
assignee: nobody → Giulio Fidente (gfidente)
status: Confirmed → In Progress

Reviewed: https://review.opendev.org/687680
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1357a131c83e0d4c699df5b9230c382a803eb5d7
Submitter: Zuul
Branch: master

commit 1357a131c83e0d4c699df5b9230c382a803eb5d7
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/688651
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7ecd756b7c5eff4ef938fced335d75123749b1f3
Submitter: Zuul
Branch: stable/stein

commit 7ecd756b7c5eff4ef938fced335d75123749b1f3
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539
    (cherry picked from commit 1357a131c83e0d4c699df5b9230c382a803eb5d7)

tags: added: in-stable-stein

This issue was fixed in the openstack/tripleo-heat-templates 11.3.0 release.

Reviewed: https://review.opendev.org/688893
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bf18f6e36fda46313867b94cd2d28009caf94b15
Submitter: Zuul
Branch: stable/rocky

commit bf18f6e36fda46313867b94cd2d28009caf94b15
Author: Giulio Fidente <email address hidden>
Date: Wed Oct 9 23:19:43 2019 +0200

    Permit access to Ceph RGW for 'member' role

    From the Rocky release, Keystone is bootstrapped by default [1]
    with a 'member' role, while previously we used to create at
    deployment time a role called 'Member'.

    Role names are case insensitive in Keystone but Ceph RGW expects
    a whitelist of role names to which access is permitted. This change
    adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

    1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

    Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
    Closes-Bug: 1847539
    (cherry picked from commit 1357a131c83e0d4c699df5b9230c382a803eb5d7)
    (cherry picked from commit 7ecd756b7c5eff4ef938fced335d75123749b1f3)

tags: added: in-stable-rocky
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers