yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1748970] Re: Role assignment API doesn't prune system roles when querying role.id={role_id}

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 13 Feb 2018 20:27:28 -0000
Reply-to: Bug 1748970 <1748970@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/trunk
   Importance: Undecided
       Status: New

** Also affects: keystone/queens
   Importance: High
     Assignee: Lance Bragstad (lbragstad)
       Status: In Progress

** No longer affects: keystone/trunk

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1748970

Title:
  Role assignment API doesn't prune system roles when querying
  role.id={role_id}

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) queens series:
  In Progress
Status in tempest:
  Invalid

Bug description:
  During the Queens release, keystone added support for a new scope type
  called system. This extended the support for users and groups to not
  only have roles on projects and domains, but also on a different
  entity called the "system". This is an effort to make RBAC support
  more flexible and robust, in a way to isolate system administrative
  APIs from project or end-user APIs.

  During keystone's boostrapping process, it attempts to setup an
  administrator for the deployment. To be backwards compatible, the
  implementation for system scope included a patch to ensure the admin
  user not only had authorization on at least one project, but also the
  system [0]. This makes it so that new and old installations are
  guaranteed an administrative user for all APIs by running an
  idempotent operation. Otherwise it would be possible for an
  administrative user to lock themselves out of system-level APIs if
  they opt into enforcing scope without having at least one system
  administrator.

  The patch to add this functionality is currently failing tempest [0],
  even though tempest doesn't know anything about system role
  assignments or requesting system scoped tokens. Opening this bug so
  that we can investigate tempest and understand how adding a separate
  role assignment is resulting 401 Authorized responses during tempest
  tests.

  [0] https://review.openstack.org/#/c/530410/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1748970/+subscriptions

References

[Bug 1748970] [NEW] bootstrapping system administrator causes issues with tempest
From: Lance Bragstad, 2018-02-12