← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #46248

[Bug 1541540] Re: Implied role "root_role" config needs to be expanded

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/279703
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f984518971fe2c91630016c8e726ae00e5d41e6a
Submitter: Jenkins
Branch:    master

commit f984518971fe2c91630016c8e726ae00e5d41e6a
Author: John Dennis <jdennis@xxxxxxxxxx>
Date:   Thu Feb 11 11:31:36 2016 -0500

    Convert assignment.root_role config option to list of strings
    
    The assigment.root_role config option was previously a single string
    which specified a role name that was prohibited from being added as an
    implied role. By default it was 'admin'. For greater flexibility we
    now permit a list of role names that are prohibited from being
    implied.
    
    Summary of changes:
    
    * Change assigment.root_role from cfg.StrOpt to cfg.ListOpt.
      ListOpt is preferred over MultiStrOpt because of config file formatting.
      Update help for option.
    
    * Change assigment.root_role name to assignment.prohibited_implied_role
    
    * Change test for implied role name from string equality to
      membership in list of strings.
    
    * Expand ImpliedRolesTests.test_root_role_as_implied_role_forbidden()
      unit test to test 2 prohibited implied role names and 1 valid
      implied. role name.
    
    Change-Id: Idfe14080e2f1ec1e89b85d8f5f00aad187f1fd22
    Closes-Bug: #1541540
    Signed-off-by: John Dennis <jdennis@xxxxxxxxxx>


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541540

Title:
  Implied role "root_role" config needs to be expanded

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The "root_role" option is insufficient for blocking "implied" roles.
  This needs to be expanded to where a list opt makes sense. There will
  likely be many cases where more than one role should never be allowed
  to be implied, for example "domain admin" if the domain admin needs to
  come from SSO.

  Suggest making it an option that is a listopt and calling it something
  not "root_role".

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541540/+subscriptions

References

  Thread PreviousDate PreviousThread Next