Activity log for bug #1960806

Date Who What changed Old value New value Message
2022-02-14 09:39:31 Peter De Sousa bug added bug
2022-02-14 09:58:29 Peter De Sousa description Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_dsv_openstack_tests.sh Thanks, Peter Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh Thanks, Peter
2022-02-14 10:01:11 Peter De Sousa description Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh Thanks, Peter Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh Thanks, Peter
2022-02-14 10:08:21 Alex Kavanagh charm-nova-compute: importance Undecided Wishlist
2022-02-14 10:08:21 Alex Kavanagh charm-nova-compute: status New Triaged
2022-02-14 10:08:27 Alex Kavanagh tags good-first-bug
2022-02-15 10:50:11 Peter De Sousa bug task added charm-keystone
2022-02-15 10:50:33 Peter De Sousa bug task added charm-neutron-api
2022-02-15 10:50:55 Peter De Sousa bug task added charm-nova-cloud-controller
2022-02-15 10:51:14 Peter De Sousa bug task added charm-placement
2022-02-15 10:51:36 Peter De Sousa bug task added charm-cinder
2022-02-15 10:53:29 Peter De Sousa summary [RFE] Add charm option for enforce_new_defaults [RFE] Add charm option for enforce_new_defaults and enforce_scope
2022-02-15 10:53:58 Peter De Sousa description Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh Thanks, Peter Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh [Edit] With some further testing, the enforce_new_defaults will not work without the enforce_scope option. Thanks, Peter
2022-02-15 10:55:35 Nobuto Murata bug added subscriber Nobuto Murata
2022-02-15 10:59:11 Nobuto Murata description Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh [Edit] With some further testing, the enforce_new_defaults will not work without the enforce_scope option. Thanks, Peter Hi, When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193. In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html. Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh [Edit] With some further testing, the enforce_new_defaults will not work without the enforce_scope option. Thanks, Peter https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults
2022-06-21 08:53:16 Mustafa Kemal Gilor charm-nova-cloud-controller: assignee Mustafa Kemal Gilor (mustafakemalgilor)
2022-06-21 08:53:31 Mustafa Kemal Gilor charm-nova-cloud-controller: status New In Progress
2022-06-21 09:34:10 Mustafa Kemal Gilor charm-nova-cloud-controller: assignee Mustafa Kemal Gilor (mustafakemalgilor)
2022-06-21 09:34:13 Mustafa Kemal Gilor charm-nova-cloud-controller: status In Progress New
2022-08-01 08:39:46 Muhammad Ahmad charm-nova-compute: assignee Muhammad Ahmad (ahmadfsbd)
2022-08-02 11:26:52 OpenStack Infra charm-nova-compute: status Triaged In Progress
2022-08-02 11:39:49 Nobuto Murata tags good-first-bug
2022-08-12 17:37:05 Muhammad Ahmad charm-nova-compute: assignee Muhammad Ahmad (ahmadfsbd)
2023-10-16 15:50:07 Jan van Stekelenburg bug added subscriber Jan van Stekelenburg