OpenStack Identity (keystone)

Remove obsolete service provider policies from policy.v3cloudsample.json

Bug #1804520 reported by Lance Bragstad on 2018-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

Once support for scope types landed in the service provider API policies, the policies in policy.v3cloudsample.json became obsolete [0][1].

We should add formal protection for the policies with enforce_scope = True in keystone.tests.unit.protection.v3 and remove the old policies from the v3 sample policy file.

This will reduce confusion by having a true default policy for identity providers.

[0] https://review.openstack.org/#/c/526173/
[1] https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json?id=fb73912d87b61c419a86c0a9415ebdcf1e186927#n216

Tags:

Lance Bragstad (lbragstad) on 2018-11-21

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/620156

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26:

Related fix proposed to branch: master
Review: https://review.openstack.org/620157

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26:

Related fix proposed to branch: master
Review: https://review.openstack.org/620158

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26:

Related fix proposed to branch: master
Review: https://review.openstack.org/620159

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26:

Related fix proposed to branch: master
Review: https://review.openstack.org/620160

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/620161

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-03: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/620156
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Submitter: Zuul
Branch: master

commit acd5d027ecc3d5b8819b0f5772ce114cdbd7a680
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 19:46:30 2018 +0000

Update service provider policies for system reader

    The service provider policies were not taking the default roles work
    we did last release into account. This commit changes the default
    policies to rely on the ``reader`` role for get and list service
    providers. Subsequent patches will incorporate:

     - system member test coverage
     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804520
Related-Bug: 1804522

Change-Id: I54fde6f6395b55a0798157346af3188bc756ba50

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-03:

Reviewed: https://review.openstack.org/620157
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e22bafa25bced833115530401ef878f5e1d1c7eb
Submitter: Zuul
Branch: master

commit e22bafa25bced833115530401ef878f5e1d1c7eb
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:29:00 2018 +0000

Add service provider tests for system member role

    From keystone's perspective, the ``member`` and ``reader`` roles are
    effectively the same, isolating writable service provider operations
    to the ``admin`` role.

    This commit adds explicit testing to make sure the ``member`` role is
    allowed to perform readable and not writable service provider
    operations. Subsequent patches will incorporate.

     - system admin functionality
     - domain users test coverage
     - project users test coverage

Related-Bug: 1804520
Related-Bug: 1804522

Change-Id: Iecc39d5e4f1a4dc9293e67ee86f23f9a119793a8

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-25:

Reviewed: https://review.openstack.org/620158
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ce5e3e24e8291c0af387a72ce7b47c3b28a9f74
Submitter: Zuul
Branch: master

commit 7ce5e3e24e8291c0af387a72ce7b47c3b28a9f74
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:43:09 2018 +0000

Update service provider policies for system admin

    This change makes the policy definitions for admin service
    provider operations consistent with the other service provider
    policies. Subsequent patches will incorporate:

- domain users test coverage
- project users test coverage

    Change-Id: I621192f089d1b29e2585d0030716348274e50bf1
    Related-Bug: 1804520
    Closes-Bug: 1804522

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-25:

#10

Reviewed: https://review.openstack.org/620159
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fba96a26ac80fab86671d47ff7eaf11427ed4af0
Submitter: Zuul
Branch: master

commit fba96a26ac80fab86671d47ff7eaf11427ed4af0
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:50:40 2018 +0000

Add tests for domain users interacting with sps

    This commit introduces some tests that show how domain users are
    expected to behave with the federated service provider API. A
    subsequent patch will do the same for project users.

Change-Id: I27f7550d4f05494d19cbbf67e2e1a7fdfc19b21a
Related-Bug: 1804520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-25:

#11

Reviewed: https://review.openstack.org/620160
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=92ac35fe6bca328f3b92153ff560490947291d9e
Submitter: Zuul
Branch: master

commit 92ac35fe6bca328f3b92153ff560490947291d9e
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:52:53 2018 +0000

Add tests for project users interacting with sps

    This commit introduces some tests that show how project users
    are expected to behave with the federated service provider API.
    A subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json file.

Change-Id: I799fedbb250614fef7ce0a55bd4ac266475ad3a1
Related-Bug: 1804520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-26: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/620161
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6bac9930ebd0f5882247879c3d9b04b732ba6fb4
Submitter: Zuul
Branch: master

commit 6bac9930ebd0f5882247879c3d9b04b732ba6fb4
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 26 20:57:53 2018 +0000

Remove service provider policies from v3cloudsample.json

    By incorporating system-scope and default roles, we've effectively
    made these policies obsolete. We can simplify what we maintain and
    provide a more consistent, unified view of default service provider
    behavior by removing them.

Change-Id: I01b0e7152ae282c49644b3bad1bcb2c8119aed58
Closes-Bug: 1804520

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2019-01-28

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

#13

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.