OpenStack Identity (keystone)

Group API doesn't use default roles

Bug #1805369 reported by Lance Bragstad on 2018-11-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) stein-3

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The groups API doesn't incorporate these defaults into its default policies [1], but it should.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/group.py?id=fb73912d87b61c419a86c0a9415ebdcf1e186927

Tags:

Lance Bragstad (lbragstad) on 2018-11-27

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: default-roles policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-17: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/625732

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-17:

Related fix proposed to branch: master
Review: https://review.openstack.org/625733

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-17: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/625734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/625732
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=feb0d58df4ce4531d3e381c24385a531d164ee2a
Submitter: Zuul
Branch: master

commit feb0d58df4ce4531d3e381c24385a531d164ee2a
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:40:04 2018 +0000

Implement system reader role for groups

    This commit introduces the system reader role to the group API, making
    it easier for administrators to delegate subsets of responsibilities
    to the API by default. This commit also maintains the ability for
    any user to be able to fetch their own group memberships, which
    encapsulates a bunch of tests for what regular project users can do
    with groups.

Subsequent patches will incorporate:

      - system member test coverage
      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: I24ff27da79bb01322e05c6d8cd37f02693fd5b9f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28:

Reviewed: https://review.openstack.org/625733
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Submitter: Zuul
Branch: master

commit f66070995d4f0f76f68fde29fa2d5a4e90f26ce8
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 22:43:21 2018 +0000

Implement system member test coverage for groups

    This commit introduces explicity test coverage for system members,
    making sure they are allowed to perform readable and not writable
    group operations.

Subsequent patches will incorporate:

      - system admin functionality
      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ie22a18ac7b243089509001fda930474f55e29d3f
    Related-Bug: 1805369
    Related-Bug: 1808859
    Related-Bug: 968696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/625734
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f62f73c548d7a1cb4fe557e457a49d77322968c4
Submitter: Zuul
Branch: master

commit f62f73c548d7a1cb4fe557e457a49d77322968c4
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 17 23:05:08 2018 +0000

Implement system admin role in groups API

The commit introduces the system admin role to the group API, making
it consistent with other system-admin policy definitions.

Subsequent patches will incorporate:

      - domain reader functionality
      - domain member test coverage
      - domain admin functionality

    Change-Id: Ib0ff05396bed2bfefefa712491aeb0b9b5f2c1d0
    Related-Bug: 968696
    Related-Bug: 1808859
    Closes-Bug: 1805369

Changed in keystone:
status:	In Progress → Fix Released

Colleen Murphy (krinkle) on 2019-02-28

Changed in keystone:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.