yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1749268] Re: `keystone-manage bootstrap` doesn't handle system role assignments

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1749268@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Feb 2018 06:56:16 -0000
Reply-to: Bug 1749268 <1749268@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/530410
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3c524e6491c1b35a2f8413ebe046c238bf530d71
Submitter: Zuul
Branch:    master

commit 3c524e6491c1b35a2f8413ebe046c238bf530d71
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Dec 28 22:11:32 2017 +0000

    Grant admin a role on the system during bootstrap
    
    Now that we have system scope in place, we should make sure at least
    one user has a role assignment on the system. We can do this at the
    same time we grant the user a role on a project during bootstrap.
    
    This is backwards compatible because even if a deployment doesn't use
    system-scope, the assignment will just sit there. The deployment will
    have to opt into enforcing scope by updating configuration options
    for oslo.policy to enforce scoping.
    
    This shouldn't prevent deployments from fixing bug 968696 and using
    system scope.
    
    Closes-Bug: 1749268
    
    Change-Id: I6b7196a28867d9a699716c8fef2609d608a5b2a2


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1749268

Title:
  `keystone-manage bootstrap` doesn't handle system role assignments

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) queens series:
  In Progress

Bug description:
  The whole purpose of the `keystone-manage bootstrap` command is to
  help operators establish an admin account they can use to administer
  the rest of the deployment. It does this by granting the admin user in
  the bootstrap command an admin role on a project [0].

  A system role assignment should also be created so that operators
  don't lock themselves out of APIs if they set enabled_scope=True in
  configuration but don't actually have a user with any system role
  assignments.

  
  [0] https://github.com/openstack/keystone/blob/69b8815d046c4eb0164070976e4351b81a15a0e2/keystone/cmd/cli.py#L283-L293

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1749268/+subscriptions

References

[Bug 1749268] [NEW] `keystone-manage bootstrap` doesn't handle system role assignments
From: Lance Bragstad, 2018-02-13