Credentials are associated with users so there is no reason we prevent
domain users from accessing the resources. In some services like heat
domain admin is used to generate keystone credentials and loosing
the scope check is required to continue supporting such use case.
Closes-Bug: #2062045
Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f
Domain admins are allowed to assign roles. So it should be allowed to
view roles.
Note that protection job is made non-voting until the domain admin role
test cases are updated.
Closes-Bug: #2059780
Change-Id: Ifc25cf32ffcdb3b8a62d6741bc38e14bca0d7763
This patch modifies a few policies to allow users with the "admin" role
to access /v3/auth/tokens and /v3/credentials. These policies were
missed when we implemented Phase 1 of Secure RBAC.
Change-Id: Id789c09121f1405f7ba5e4926498dab4ad98e057
This patch updates the devstack plugin so that tempest.conf is not
configured to use system-admin. Currently tempest uses an all-in
approach to configuring admin clients, and forcing system scope in
tempest when SRBAC is turned on results in test failures for services
that don't understand system scope.
With this patch, keystone test will be run with a project-scoped admin,
which should be fine since policies have been previously updated to
accept project-admin tokens as legacy admin for Phase 1. [1]
[1] f2f1a5c388
Change-Id: I39d50b8e6e55b0835670d753c3783f32b19b6c47
Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I269449185216e98155807b046b7bab48610911b3
Keystone provided two in-tree catalog drivers, sql and templated.
However the templated driver hasn't been properly maintained.
The default template had not been updated for 8 years until it was
recently updated by [1].
This deprecates the driver assuming it's not widely used and sql driver
meets usual requirements.
This also restores the image service endpoints which were wrongly
removed by [1].
[1] c32bedb654
Related-Bug: #2013473
Change-Id: Iadb7bd5d7c4cf82aea2a7dbc1d8c4dbe53b9f763
This adds the ability to create users and projects directly from
keystone-manage. We also add the ability to specify specific UUIDs
for both users and projects via the creation functions.
Change-Id: Icd193eff25556d21ec26bb29908b8ad6548fdc91
Additional paragraphs of a bullet list should be indented by two spaces
to align with the first paragraph, e.g.
- A bullet list item
Additional detail
Rather than:
- A bullet list item
Additional detail
The latter results in the additional paragraphs being rendered as block
quotes.
Change-Id: I18cd39e65fd8d43691c940a6e849765755c46c2e
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
The OpenDev team is planning to remove OpenSUSE LEAP 15 images as our
node builds and mirrors are for 15.2 which is ancient and no one is
currently working to modernize these test environments. On top of that
LEAP is apparently going away in the future and will be replaced with
another distro.
Change-Id: Ia94b4e7151410515a3ecf99185042dae82bf1b7d
Deletion of a role leads to deletion of role assignments and entries in
the application credentials. However, deletion of the entries in
application credentials depends on the existence of the assignment, so
the order of deletion is important.
Delete the entries from application credentials first and then clean up
role assignment.
Closes-Bug: 2053137
Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438
When calling the s3tokens or ec2tokens API with a
HTTP GET we should get a 405 Method Not Allowed but
we get a 500 Internal Server Error because we enforce
that method.
Closes-Bug: #2052916
Change-Id: I5f60d10dc25551175cc73ca8f3f28b0b95ec9f99
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
This patch fixes an inconsistency in the policies for role_assignment
where the target object used for policy enforcement was being created
with different properties depending on the request query string.
This required policies to be written in two differnt ways to validate
domain IDs for domain-scoped requests. e.g. checking for domain reader
was using both:
role:reader and domain_id:%(target.domain_id)s
and
role:reader and domain_id:%(target.project.domain_id)s
With the former only being populated for GET /v3/role_assignments and
the latter only being populated for GET
/v3/role_assignments?scope.project.id=SOME_ID
This patch fixes the target object so that only target.domain_id needs
to be checked for domain-scoped tokens.
Change-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c
Introduces domain-scoped filtering of the response list of the
list_domains endpoint when the user is authenticated in domain scope
instead of returning all domains. This aligns the implementation with
other endpoints like list_projects or list_groups and allows for a
domain-scoped reader role.
Changes the default policy rule for identity:list_domains to
incorporate this new behavior for the reader role.
Closes-Bug: 2041611
Change-Id: I8ee50efc3b4850060cce840fc904bae17f1503a9
additionalProperties attribute must be located on the level of "type"
and not inside "properties"
(https://json-schema.org/understanding-json-schema/reference/object#additional-properties).
Sadly this is not violating schema validation, but is wrong and hurts
any reasonable processing of the schema.
Change-Id: Ib537f1dd33dd3f3dc8909873dffc37980d04b4db
otherwise the initiator field is missing from the CADF payload,
which misses the point of audit and technically makes these notifications
not valid as CADF events (initiator field is requires by the
CADF spec).
Change-Id: Iae525ee13dec72af6a7d70db2bb59a77c682a177
Keystone no longer depends on mongodb after cache implementation was
split to oslo.cache[1]. Also, bandit is not a runtime dependency but
a test dependency, so should live in test requirements.
[1] 4969f66fca
Change-Id: I85f376d0897dd6b4dba758f86882fae70511fb6a
This patch modifies the policy for identity:get_project to allow a user
with the "admin" role to retrieve any project by project_id for Secure
RBAC (Phase 1)
Change-Id: I6442557701284572759da1354e6547f57186935f
Ater the patch "Keystone to honor the "domain" attribute mapping rules."
It's not possible to assign domain specific roles to federated users
when the user domain is specify on the claim.
This patch aims to fix this, allowing to map non domain specific roles
and domain specific, if the domain is the specify on the claim.
Depends-on: https://review.opendev.org/#/c/739966/
related-Bug: #1887515
Change-Id: Ie3d7585cb9143686a93e4a19843698274475eaf6
Signed-off-by: Juan Pedro Torres Muñoz <juanp.95.torres@gmail.com>