Unable to distinguish between not is_admin_project and feature not enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Jamie Lennox | ||
keystoneauth |
Fix Released
|
Medium
|
Jamie Lennox | ||
keystonemiddleware |
Fix Released
|
Medium
|
Jamie Lennox | ||
oslo.context |
Fix Released
|
Undecided
|
Jamie Lennox | ||
oslo.policy |
Confirmed
|
Wishlist
|
Jamie Lennox |
Bug Description
The is_admin_project flag is used in a token to indicate that the current token is scoped to a project that is indicated as the admin project. Currently this is only added to the token when the admin_project is True and nothing added when False.
From a policy perspective we need to write policy files that are backwards compatible, however we cannot determine the difference in policy between is_admin_project == False and the admin project not being set from config because both result in no flag being set in the token.
If we were to enforce is_admin_project == True on a deployment that did not use it this would completely break backwards compatibility as the is_admin_project check would never pass.
To fix this we need to make is_admin_project a required field of a token at least when the admin project is set.
Because the current default is that every project can be the admin project, the default value of is_admin_project must be True. For deployments that do not configure an admin project we can either set is_admin_
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Jamie Lennox (jamielennox) |
milestone: | none → next |
Changed in keystone: | |
importance: | Undecided → Medium |
milestone: | next → newton-1 |
Changed in keystonemiddleware: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in oslo.context: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in oslo.policy: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in oslo.policy: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Fix proposed to branch: master /review. openstack. org/312323
Review: https:/