Merge "Default to bootstrapping roles as immutable"

This commit is contained in:
Zuul 2020-02-12 05:47:01 +00:00 committed by Gerrit Code Review
commit b3cbf60c3c
4 changed files with 60 additions and 15 deletions

View File

@ -122,13 +122,10 @@ class Bootstrapper(object):
LOG.info('Created role %s', role_name) LOG.info('Created role %s', role_name)
if not self.immutable_roles: if not self.immutable_roles:
LOG.warning("Role %(role)s was created as a mutable role. It " LOG.warning("Role %(role)s was created as a mutable role. It "
"is recommended to make this role immutable, " "is recommended to make this role immutable by "
"which will become the default behavior of the " "adding the 'immutable' resource option to this "
"bootstrap command in the future.You can opt into " "role, or re-running this command without "
"this behavior by using the --immutable-role " "--no-immutable-role.", {'role': role_name})
"flag, or update role %(role)s with the "
"'immutable' resource option.",
{'role': role_name})
return role return role
except exception.Conflict: except exception.Conflict:
LOG.info('Role %s exists, skipping creation.', role_name) LOG.info('Role %s exists, skipping creation.', role_name)

View File

@ -113,13 +113,19 @@ class BootStrap(BaseApp):
'placed in during the keystone bootstrap ' 'placed in during the keystone bootstrap '
'process.')) 'process.'))
parser.add_argument('--immutable-roles', parser.add_argument('--immutable-roles',
default=True,
action='store_true',
help=('Whether default roles (admin, member, and '
'reader) should be immutable. This is the '
'default.'))
parser.add_argument('--no-immutable-roles',
default=False, default=False,
action='store_true', action='store_true',
help=('Whether default roles (admin, member, and ' help=('Whether default roles (admin, member, and '
'reader) should be immutable. Immutable ' 'reader) should be immutable. Immutable '
'default roles is currently an opt-in ' 'default roles is the default, use this '
'behavior, but will become the default in ' 'flag to opt out of immutable default '
'future releases.')) 'roles.'))
return parser return parser
def do_bootstrap(self): def do_bootstrap(self):
@ -175,7 +181,10 @@ class BootStrap(BaseApp):
self.bootstrapper.public_url = self.public_url self.bootstrapper.public_url = self.public_url
self.bootstrapper.internal_url = self.internal_url self.bootstrapper.internal_url = self.internal_url
self.bootstrapper.region_id = self.region_id self.bootstrapper.region_id = self.region_id
self.bootstrapper.immutable_roles = CONF.command.immutable_roles if CONF.command.no_immutable_roles:
self.bootstrapper.immutable_roles = False
else:
self.bootstrapper.immutable_roles = True
self.bootstrapper.bootstrap() self.bootstrapper.bootstrap()
self.reader_role_id = self.bootstrapper.reader_role_id self.reader_role_id = self.bootstrapper.reader_role_id

View File

@ -223,9 +223,9 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self.bootstrap.reader_role_id) self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role( member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id) self.bootstrap.member_role_id)
self.assertEqual(admin_role['options'], {}) self.assertEqual(admin_role['options'], {'immutable': True})
self.assertEqual(member_role['options'], {}) self.assertEqual(member_role['options'], {'immutable': True})
self.assertEqual(reader_role['options'], {}) self.assertEqual(reader_role['options'], {'immutable': True})
def test_bootstrap_is_not_idempotent_when_password_does_change(self): def test_bootstrap_is_not_idempotent_when_password_does_change(self):
# NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with # NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with
@ -299,7 +299,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
user_id, user_id,
self.bootstrap.password) self.bootstrap.password)
def test_bootstrap_with_immutable_roles(self): def test_bootstrap_with_explicit_immutable_roles(self):
CONF(args=['bootstrap', CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex, '--bootstrap-password', uuid.uuid4().hex,
'--immutable-roles'], '--immutable-roles'],
@ -314,6 +314,35 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self.assertTrue(member_role['options']['immutable']) self.assertTrue(member_role['options']['immutable'])
self.assertTrue(reader_role['options']['immutable']) self.assertTrue(reader_role['options']['immutable'])
def test_bootstrap_with_default_immutable_roles(self):
CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex],
project='keystone')
self._do_test_bootstrap(self.bootstrap)
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
reader_role = PROVIDERS.role_api.get_role(
self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id)
self.assertTrue(admin_role['options']['immutable'])
self.assertTrue(member_role['options']['immutable'])
self.assertTrue(reader_role['options']['immutable'])
def test_bootstrap_with_no_immutable_roles(self):
CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex,
'--no-immutable-roles'],
project='keystone')
self._do_test_bootstrap(self.bootstrap)
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
reader_role = PROVIDERS.role_api.get_role(
self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id)
self.assertNotIn('immutable', admin_role['options'])
self.assertNotIn('immutable', member_role['options'])
self.assertNotIn('immutable', reader_role['options'])
def test_bootstrap_with_ambiguous_role_names(self): def test_bootstrap_with_ambiguous_role_names(self):
# bootstrap system to create the default admin role # bootstrap system to create the default admin role
self._do_test_bootstrap(self.bootstrap) self._do_test_bootstrap(self.bootstrap)

View File

@ -0,0 +1,10 @@
---
upgrade:
- |
[`bug 1823258 <https://bugs.launchpad.net/keystone/+bug/1823258>`_]
The ``keystone-manage bootstrap`` command now defaults to making the
default roles (`admin`, `member`, and `reader`) immutable. This has the
consequence that if the bootstrap command is re-run on an existing
deployment, those roles will become immutable if they were not before. To
opt out of this behavior, add the ``--no-immutable-roles`` flag to the
bootstrap command.