2022-02-14 09:39:31 |
Peter De Sousa |
bug |
|
|
added bug |
2022-02-14 09:58:29 |
Peter De Sousa |
description |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_dsv_openstack_tests.sh
Thanks,
Peter |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
Thanks,
Peter |
|
2022-02-14 10:01:11 |
Peter De Sousa |
description |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://paste.ubuntu.com/p/NSgfGSmvJz/ the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
Thanks,
Peter |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
Thanks,
Peter |
|
2022-02-14 10:08:21 |
Alex Kavanagh |
charm-nova-compute: importance |
Undecided |
Wishlist |
|
2022-02-14 10:08:21 |
Alex Kavanagh |
charm-nova-compute: status |
New |
Triaged |
|
2022-02-14 10:08:27 |
Alex Kavanagh |
tags |
|
good-first-bug |
|
2022-02-15 10:50:11 |
Peter De Sousa |
bug task added |
|
charm-keystone |
|
2022-02-15 10:50:33 |
Peter De Sousa |
bug task added |
|
charm-neutron-api |
|
2022-02-15 10:50:55 |
Peter De Sousa |
bug task added |
|
charm-nova-cloud-controller |
|
2022-02-15 10:51:14 |
Peter De Sousa |
bug task added |
|
charm-placement |
|
2022-02-15 10:51:36 |
Peter De Sousa |
bug task added |
|
charm-cinder |
|
2022-02-15 10:53:29 |
Peter De Sousa |
summary |
[RFE] Add charm option for enforce_new_defaults |
[RFE] Add charm option for enforce_new_defaults and enforce_scope |
|
2022-02-15 10:53:58 |
Peter De Sousa |
description |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
Thanks,
Peter |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
[Edit]
With some further testing, the enforce_new_defaults will not work without the enforce_scope option.
Thanks,
Peter |
|
2022-02-15 10:55:35 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2022-02-15 10:59:11 |
Nobuto Murata |
description |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
[Edit]
With some further testing, the enforce_new_defaults will not work without the enforce_scope option.
Thanks,
Peter |
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh
[Edit]
With some further testing, the enforce_new_defaults will not work without the enforce_scope option.
Thanks,
Peter
https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults |
|
2022-06-21 08:53:16 |
Mustafa Kemal Gilor |
charm-nova-cloud-controller: assignee |
|
Mustafa Kemal Gilor (mustafakemalgilor) |
|
2022-06-21 08:53:31 |
Mustafa Kemal Gilor |
charm-nova-cloud-controller: status |
New |
In Progress |
|
2022-06-21 09:34:10 |
Mustafa Kemal Gilor |
charm-nova-cloud-controller: assignee |
Mustafa Kemal Gilor (mustafakemalgilor) |
|
|
2022-06-21 09:34:13 |
Mustafa Kemal Gilor |
charm-nova-cloud-controller: status |
In Progress |
New |
|
2022-08-01 08:39:46 |
Muhammad Ahmad |
charm-nova-compute: assignee |
|
Muhammad Ahmad (ahmadfsbd) |
|
2022-08-02 11:26:52 |
OpenStack Infra |
charm-nova-compute: status |
Triaged |
In Progress |
|
2022-08-02 11:39:49 |
Nobuto Murata |
tags |
good-first-bug |
|
|
2022-08-12 17:37:05 |
Muhammad Ahmad |
charm-nova-compute: assignee |
Muhammad Ahmad (ahmadfsbd) |
|
|
2023-10-16 15:50:07 |
Jan van Stekelenburg |
bug |
|
|
added subscriber Jan van Stekelenburg |