Merge "Grant admin a role on the system during bootstrap"
This commit is contained in:
commit
e196fb9f52
|
@ -298,6 +298,26 @@ class BootStrap(BaseApp):
|
|||
'role': self.role_name,
|
||||
'project': self.project_name})
|
||||
|
||||
# NOTE(lbragstad): We need to make sure a user has at least one role on
|
||||
# the system. Otherwise it's possible for administrators to lock
|
||||
# themselves out of system-level APIs in their deployment. This is
|
||||
# considered backwards compatible because even if the assignment
|
||||
# exists, it needs to be enabled through oslo.policy configuration
|
||||
# options to be enforced.
|
||||
try:
|
||||
self.assignment_manager.create_system_grant_for_user(
|
||||
user['id'], self.role_id
|
||||
)
|
||||
LOG.info('Granted %(role)s on the system to user'
|
||||
' %(username)s.',
|
||||
{'role': self.role_name,
|
||||
'username': self.username})
|
||||
except exception.Conflict:
|
||||
LOG.info('User %(username)s already has %(role)s on '
|
||||
'the system.',
|
||||
{'username': self.username,
|
||||
'role': self.role_name})
|
||||
|
||||
if self.region_id:
|
||||
try:
|
||||
self.catalog_manager.create_region(
|
||||
|
|
|
@ -114,6 +114,13 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||
project['id']))
|
||||
self.assertIs(1, len(role_list))
|
||||
self.assertEqual(role_list[0], role['id'])
|
||||
system_roles = (
|
||||
bootstrap.assignment_manager.list_system_grants_for_user(
|
||||
user['id']
|
||||
)
|
||||
)
|
||||
self.assertIs(1, len(system_roles))
|
||||
self.assertEqual(system_roles[0]['id'], role['id'])
|
||||
# NOTE(morganfainberg): Pass an empty context, it isn't used by
|
||||
# `authenticate` method.
|
||||
bootstrap.identity_manager.authenticate(
|
||||
|
|
|
@ -4,7 +4,9 @@ features:
|
|||
[`blueprint system-scope <https://blueprints.launchpad.net/keystone/+spec/system-scope>`_]
|
||||
Keystone now supports the ability to assign roles to users and groups on
|
||||
the system. As a result, users and groups with system role assignment will
|
||||
be able to request system-scoped tokens.
|
||||
be able to request system-scoped tokens. Additional logic has been added to
|
||||
``keystone-manage bootstrap`` to ensure the administrator has a role on the
|
||||
project and system.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_]
|
||||
|
@ -12,3 +14,8 @@ fixes:
|
|||
in addition to associating `scope types <http://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html>`_
|
||||
to operations with ``oslo.policy`` will give project developers the ability
|
||||
to fix `bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_.
|
||||
- |
|
||||
[`bug 1749268 <https://bugs.launchpad.net/keystone/+bug/1749268>`_]
|
||||
The ``keystone-manage bootstrap`` command now ensures that an administrator
|
||||
has a system role assignment. This prevents the ability for operators to
|
||||
lock themselves out of system-level APIs.
|
||||
|
|
Loading…
Reference in New Issue