yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1749268] Re: `keystone-manage bootstrap` doesn't handle system role assignments

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 13 Feb 2018 20:28:37 -0000
Reply-to: Bug 1749268 <1749268@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/queens
   Importance: High
     Assignee: Lance Bragstad (lbragstad)
       Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1749268

Title:
  `keystone-manage bootstrap` doesn't handle system role assignments

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) queens series:
  In Progress

Bug description:
  The whole purpose of the `keystone-manage bootstrap` command is to
  help operators establish an admin account they can use to administer
  the rest of the deployment. It does this by granting the admin user in
  the bootstrap command an admin role on a project [0].

  A system role assignment should also be created so that operators
  don't lock themselves out of APIs if they set enabled_scope=True in
  configuration but don't actually have a user with any system role
  assignments.

  
  [0] https://github.com/openstack/keystone/blob/69b8815d046c4eb0164070976e4351b81a15a0e2/keystone/cmd/cli.py#L283-L293

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1749268/+subscriptions

References

[Bug 1749268] [NEW] `keystone-manage bootstrap` doesn't handle system role assignments
From: Lance Bragstad, 2018-02-13