OpenStack Identity (keystone)

The credential API should account for different scopes

Bug #1788415 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-2

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the user API. This is documented in each patch with FIXMEs [0].

The following acceptance criteria describes how the v3 credential API should behave with tokens from multiple scopes:

GET /v3/credentials/{credential_id}

- Someone with a system role assignment that passes the check string should be able to view credentials for any user in the deployment (system-scoped)
- Someone with a valid token should only be able to view credentials they've created

GET /v3/credentials/

- Someone with a system role assignment that passes the check string should be able to list all credentials in the deployment (system-scoped)
- Someone with a valid token should only be able to list credentials associated to their user

POST /v3/credentials

- Someone with a system role assignment that passes the check string should be able to create credentials for other users (system-scoped)
- Someone with a valid token should only be able to create credentials for themselves

DELETE /v3/credentials/{credential_id}

- Someone with a system role assignment that passes the check string should be able to delete any credential in the deployment (system-scoped)
- Someone with a valid token should only be able to delete credentials associated to their user account

[0] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n21

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: policy
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/597187

Colleen Murphy (krinkle)
tags: added: system-scope
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/594547
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=239bed09a922d6076711ca5c112be6299fa0f0bb
Submitter: Zuul
Branch: master

commit 239bed09a922d6076711ca5c112be6299fa0f0bb
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 21 20:41:38 2018 +0000

    Implement scope_type checking for credentials

    This change adds tests cases for the default roles keystone
    supports at install time. It also modifies the policies for the
    credentials API to be more self-service by properly checking
    for various scopes.

    Closes-Bug: 1788415
    Partial-Bug: 968696

    Change-Id: Ifedb7798c96930b6cc0f91159a14a21ac4b02f9f

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/597187
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7c129f1c70ccc2ee5d68e6fabb53e3172f9d6a34
Submitter: Zuul
Branch: master

commit 7c129f1c70ccc2ee5d68e6fabb53e3172f9d6a34
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 28 15:44:48 2018 +0000

    Remove obsolete credential policies

    The policy.v3cloudsample.json policy file attempted to solve
    admin-ness issues with elaborate policy checks. These checks are no
    longer needed with advent of system scope and incorporating system
    scope into keystone APIs.

    This commit removes the credential policies from the
    policy.v3cloudsample.conf policy file since the new defaults introduce
    more flexibility by consuming scope, rendering the policies in
    policy.v3cloudsample.conf obsolete. More specific test coverage has
    also been added for each new case in
    keystone.tests.unit.protection.v3.test_credentials.

    Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
    Related-Bug: 1788415

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.