Merge "Grant admin a role on the system during bootstrap"
This commit is contained in:
commit
e196fb9f52
|
@ -298,6 +298,26 @@ class BootStrap(BaseApp):
|
||||||
'role': self.role_name,
|
'role': self.role_name,
|
||||||
'project': self.project_name})
|
'project': self.project_name})
|
||||||
|
|
||||||
|
# NOTE(lbragstad): We need to make sure a user has at least one role on
|
||||||
|
# the system. Otherwise it's possible for administrators to lock
|
||||||
|
# themselves out of system-level APIs in their deployment. This is
|
||||||
|
# considered backwards compatible because even if the assignment
|
||||||
|
# exists, it needs to be enabled through oslo.policy configuration
|
||||||
|
# options to be enforced.
|
||||||
|
try:
|
||||||
|
self.assignment_manager.create_system_grant_for_user(
|
||||||
|
user['id'], self.role_id
|
||||||
|
)
|
||||||
|
LOG.info('Granted %(role)s on the system to user'
|
||||||
|
' %(username)s.',
|
||||||
|
{'role': self.role_name,
|
||||||
|
'username': self.username})
|
||||||
|
except exception.Conflict:
|
||||||
|
LOG.info('User %(username)s already has %(role)s on '
|
||||||
|
'the system.',
|
||||||
|
{'username': self.username,
|
||||||
|
'role': self.role_name})
|
||||||
|
|
||||||
if self.region_id:
|
if self.region_id:
|
||||||
try:
|
try:
|
||||||
self.catalog_manager.create_region(
|
self.catalog_manager.create_region(
|
||||||
|
|
|
@ -114,6 +114,13 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
||||||
project['id']))
|
project['id']))
|
||||||
self.assertIs(1, len(role_list))
|
self.assertIs(1, len(role_list))
|
||||||
self.assertEqual(role_list[0], role['id'])
|
self.assertEqual(role_list[0], role['id'])
|
||||||
|
system_roles = (
|
||||||
|
bootstrap.assignment_manager.list_system_grants_for_user(
|
||||||
|
user['id']
|
||||||
|
)
|
||||||
|
)
|
||||||
|
self.assertIs(1, len(system_roles))
|
||||||
|
self.assertEqual(system_roles[0]['id'], role['id'])
|
||||||
# NOTE(morganfainberg): Pass an empty context, it isn't used by
|
# NOTE(morganfainberg): Pass an empty context, it isn't used by
|
||||||
# `authenticate` method.
|
# `authenticate` method.
|
||||||
bootstrap.identity_manager.authenticate(
|
bootstrap.identity_manager.authenticate(
|
||||||
|
|
|
@ -4,7 +4,9 @@ features:
|
||||||
[`blueprint system-scope <https://blueprints.launchpad.net/keystone/+spec/system-scope>`_]
|
[`blueprint system-scope <https://blueprints.launchpad.net/keystone/+spec/system-scope>`_]
|
||||||
Keystone now supports the ability to assign roles to users and groups on
|
Keystone now supports the ability to assign roles to users and groups on
|
||||||
the system. As a result, users and groups with system role assignment will
|
the system. As a result, users and groups with system role assignment will
|
||||||
be able to request system-scoped tokens.
|
be able to request system-scoped tokens. Additional logic has been added to
|
||||||
|
``keystone-manage bootstrap`` to ensure the administrator has a role on the
|
||||||
|
project and system.
|
||||||
fixes:
|
fixes:
|
||||||
- |
|
- |
|
||||||
[`bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_]
|
[`bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_]
|
||||||
|
@ -12,3 +14,8 @@ fixes:
|
||||||
in addition to associating `scope types <http://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html>`_
|
in addition to associating `scope types <http://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html>`_
|
||||||
to operations with ``oslo.policy`` will give project developers the ability
|
to operations with ``oslo.policy`` will give project developers the ability
|
||||||
to fix `bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_.
|
to fix `bug 968696 <https://bugs.launchpad.net/keystone/+bug/968696>`_.
|
||||||
|
- |
|
||||||
|
[`bug 1749268 <https://bugs.launchpad.net/keystone/+bug/1749268>`_]
|
||||||
|
The ``keystone-manage bootstrap`` command now ensures that an administrator
|
||||||
|
has a system role assignment. This prevents the ability for operators to
|
||||||
|
lock themselves out of system-level APIs.
|
||||||
|
|
Loading…
Reference in New Issue