Public bug reported:
When listing role assignments, it is possible to filter results by group, role,
domain, project, user and inheritance.
In addition, it is possible to query for effective role assignments, which
expands inherited roles and group membership.
Currently we have few tests [1][2]
tone/tests/test_v3_assignment.py#L881
[5]
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3.py#L479
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Samuel de Med
Public bug reported:
This bug applies to backend SQL, since it is the only that supports
inherited role assignments.
Given a role assignment (actor_id, target_id, role_id, inherited), it should be
possible to grant it as both direct and inherited:
- (actor_id, target_id, role_id, inherited=False
inside the 'scope' key.
This reflects on tests, making an assert to never occur [1].
[1]
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3.py#L1070-L1072
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
ent [2].
[1]
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3.py#L1034-L1074
[2]
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_assignment.py#L26-L71
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel
inherited)
- (effective, group)
- (effecitve, domain)
We need to raise an exception, returning 400 status code when those
parameters are provided.
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: keystone
Public bug reported:
The XOR checking of targets and actors on RoleV3 controller [1] should
be generic and placed at V3Controller, so that it could be used on other
controllers, such as RoleAssignmentV3 on list_role_assignments method,
which needs to report 400 for invalid filters combination [2]
Public bug reported:
doc/source/configuration.rst contains some typos that need to be fixed:
- "Keystone" is spelled as "keystone";
- Other general typos, such as:
- "regeneratable" should be "regenerable";
- "If the plugin require addition configurations" should be "If the plugin
requires a
Public bug reported:
doc/source/configuration.rst has:
i) double spaces in some sentences;
ii) lines with a length > 79 characters.
Fixing these would keep the documentation code more organized.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug noti
Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1409205
Title:
Role inheritance section in configurat
Public bug reported:
When an internal notification for cleaning up a domain is sent, the
callback method get all users and groups of that domain (using
filtering), in order to delete them.
After this, when iterating over the domain's users and groups, it re-
verifies their domain_id, which is unn
6
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: In Progress
** Changed in: keystone
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samuel-z)
--
You received this bug notification because you are a member of Yah
Public bug reported:
The method list_user_projects at assignment manager [1] is not called anywhere.
In addition, it makes a call to list_user_projects on assignment drivers, which
does not exist at all.
The equivalent call in the controller layer calls the
list_projects_for_user method instead.
Public bug reported:
The method list_user_projects at assignment manager [1] is not called anywhere.
In addition, it makes a call to list_user_projects on assignment drivers, which
does not exist at all.
[1]
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L679-L68
I have no idea how this bug was reported twice.
Please see [1]. I am already fixing this, sorry.
Thanks
[1] https://bugs.launchpad.net/keystone/+bug/1415190
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineerin
Invalidated in favor of the created blueprint to fix this [1].
[1] https://blueprints.launchpad.net/keystone/+spec/list-role-
assignments-performance
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineerin
Public bug reported:
'/OS-FEDERATION/projects' and '/auth/projects' API endpoints do not
honor project inherited group role assignments.
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samueldmq)
Status: New
** Summary ch
Public bug reported:
Tests in this class (or in subclasses) can create domains, but cannot
use them for any identity operation, such as list_users.
When domain-specific backends functionality is used, the created domains
(that do not have an explicit configuration) are mapped in the default
drive
Public bug reported:
When listing role assignments, we have the option to filter them by actor,
target and role.
As Henry Nash pointed out at [1] , the current implementation uses the standard
filtering the V3.wrap_collection. Given the large number of individual
assignments, this is pretty ine
Public bug reported:
List role assignments calls should return 'inherited_to_projects':
'projects' for an inherited assignment, as done by the SQL backend [1].
The KVS backend just ignore this information from the retrieved
assignments.
[1]
https://github.com/openstack/keystone/blob/master/keys
[2]
https://github.com/openstack/keystone/blame/master/keystone/tests/test_backend_kvs.py#L247-L251
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Samuel de Medei
tance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samuel-z)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Public bug reported:
Giving the possibility to retrieve the project's domain_id from a
project scoped token gives cloud service providers more flexibility when
configuring their Keystone policy file.
For instance, if a cloud service provider wants to allow a project member to
see the description
Assignee: Samuel de Medeiros Queiroz (samueldmq)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1476347
Title:
LDAP Resource backend should be deprecated
Public bug reported:
In the file keystone/endpoint_policy/backends/sql.py, the return of
get_policy_association(..) is a dict in the form {'policy_id':
policy_id}.
However, policy_id was the return of the call:
session.query(PolicyAssociation.policy_id).one(),
having the following format:
Public bug reported:
When validating a trust scoped token with disabled trustor, an exception
of type Forbidden with message 'Trustor is disabled.' is raised.
However, the exception used when the user (owning the role assignment for the
provided token) is disabled is Unauthorized.
This should be
are always returning the whole project info (id, name,
domain_id, description, enabled) from all parents/subprojects.
[1] https://github.com/openstack/keystone-specs/blob/master/specs/kilo
/project-hierarchy-retrieval.rst
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeir
: Undecided
Status: New
** Affects: swift
Importance: Undecided
Status: New
** Changed in: nova
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samueldmq)
** Also affects: nova
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undeci
** Also affects: swift
Importance: Undecided
Status: New
** Also affects: ceilometer
Importance: Undecided
Status: New
** Also affects: trove
Importance: Undecided
Status: New
** Also affects: ironic
Importance: Undecided
Status: New
--
You received this
** Also affects: sahara
Importance: Undecided
Status: New
** Also affects: barbican
Importance: Undecided
Status: New
** Also affects: designate
Importance: Undecided
Status: New
** Also affects: magnum
Importance: Undecided
Status: New
** Also affects: m
The change on Glance side is already merged.
"Use graduated oslo.policy"
https://review.openstack.org/#/c/162368/
** Changed in: glance
Status: New => Fix Released
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are
Thanks Lin, the change is now merged.
"Use graduated version of oslo.policy"
https://review.openstack.org/#/c/164420/
** Changed in: horizon
Status: In Progress => Fix Released
** Also affects: glance
Importance: Undecided
Status: New
--
You received this bug notification beca
Fix released on Keystone side.
"Use oslo.policy instead of incubated version"
https://review.openstack.org/#/c/148624/
** Changed in: keystone
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Ope
I am re-adding the projects which were marked as 'no longer affects' and
then invalidating them, so that we can keep track of the status of this
change for the whole OpenStack ecosystem.
People who marked as 'no longer affects' and respective projects are:
Samuel Merritt (torgomatic) on swift
Rub
Manila change 'Use oslo_policy lib instead of oslo-incubator code'
https://github.com/openstack/manila/commit/a4a60b1328443f6a1d5a85884f029e3fa683c142
** Also affects: swift
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engi
ng thrown, but it is not shown to the
caller interface, such as Horizon.
** Affects: nova
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: nova
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samuel-z)
--
You recei
Public bug reported:
Both /v2.0 and /v3 APIs return 200 OK on endpoint creation.
The HTTP status code should be 201 Created.
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samueldmq)
Status: In Progress
** Changed in: keystone
Assignee
: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samuel-z)
** Description changed:
The fact of not having tests for this may cause some bugs.
-
Public bug reported:
When getting or deleting a grant, if something goes wrong, a
RoleNotFound exception is thrown. [1]-[6]
In cases where the role exists and the combination of other arguments is
invalid, this is a non-suggestive exception because it tells us "Could
not find role: %(role_id)s".
in AssignmentTestCase
(test_v3_assignment, to be created).
** Affects: keystone
Importance: Low
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: Triaged
** Tags: test-improvement
** Changed in: keystone
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samue
//github.com/openstack/keystone/blob/master/keystone/identity/core.py#L813-L816
[3]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L526
** Affects: keystone
Importance: Undecided
Assignee: Samuel de Medeiros Queiroz (samuel-z)
Status: New
--
You received this
Yes, it is working. My point was just the consistency between the
driver GET and LIST methods, as in this bug's decription. I am okay with
leaving this as it is.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo
*** This bug is a duplicate of bug 1277847 ***
https://bugs.launchpad.net/bugs/1277847
** This bug is no longer a duplicate of bug 1360391
Domain data remains in DB after domain is deleted
** This bug has been marked a duplicate of bug 1277847
Deleting a domain should remove assignments
*** This bug is a duplicate of bug 1277847 ***
https://bugs.launchpad.net/bugs/1277847
** This bug is no longer a duplicate of bug 1360391
Domain data remains in DB after domain is deleted
** This bug has been marked a duplicate of bug 1277847
Deleting a domain should remove assignments
*** This bug is a duplicate of bug 1277847 ***
https://bugs.launchpad.net/bugs/1277847
** This bug is no longer a duplicate of bug 1360391
Domain data remains in DB after domain is deleted
** This bug has been marked a duplicate of bug 1277847
Deleting a domain should remove assignments
Changing to fix release as the v3 docs are merged and
https://review.openstack.org/#/c/390913 is gating
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack I
Public bug reported:
Most of keystone implement GET and HEAD for the same operation.
This is okay when you are retrieving an entity or checking its
existence, for example:
GET /users/
HEAD /users/
However, there are some cases where having GET is obvious, but HEAD does
not make any sens
Public bug reported:
With change_password_after_first_use set to true, new users or users
whom password got administratively updated should get their
password_expires_at set to the current time, and password_expires_days
should not be honored.
keystone.conf:
[security_compliance]
# Configuring p
Public bug reported:
ignore_password_expiry is set for admin user and is not working
properly. With it set to true, the user should not be affected if their
password has expired.
keystone.conf:
[cache]
# Global toggle for caching. (boolean value)
enabled = false
[security_compliance]
# Configuri
] https://github.com/openstack/python-
keystoneclient/blob/41129c850394e97947ec374dad8e852b5e1b33b5/keystoneclient/tests/functional/v3/test_implied_roles.py#L50-L62
[2] https://review.openstack.org/#/c/334546/11
** Affects: keystone
Importance: Medium
Assignee: Samuel de Medeiros Queiroz
** Changed in: python-keystoneclient
Importance: Undecided => Critical
** Changed in: python-keystoneclient
Importance: Critical => Medium
** Changed in: python-keystoneclient
Assignee: (unassigned) => Samuel de Medeiros Queiroz (samueldmq)
** Changed in: keystone
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1586289
Title:
openstack project list can not list
I have confirmed with Doug Hellmann in #openstack-oslo that
testresources is coming in via the fixtures extra. Thus, keystone does
not have to have it added to test-requirements directly
** Changed in: keystone
Status: In Progress => Won't Fix
--
You received this bug notification because
*** This bug is a duplicate of bug 1418398 ***
https://bugs.launchpad.net/bugs/1418398
** This bug has been marked a duplicate of bug 1418398
role not found and assignment not found mix up together
--
You received this bug notification because you are a member of Yahoo!
Engineering Team,
54 matches
Mail list logo
