Merge "Default to bootstrapping roles as immutable"
This commit is contained in:
Zuul
Gerrit Code Review
commit
b3cbf60c3c
@ -122,13 +122,10 @@ class Bootstrapper(object):
|
|||||||
LOG.info('Created role %s', role_name)
|
LOG.info('Created role %s', role_name)
|
||||||
if not self.immutable_roles:
|
if not self.immutable_roles:
|
||||||
LOG.warning("Role %(role)s was created as a mutable role. It "
|
LOG.warning("Role %(role)s was created as a mutable role. It "
|
||||||
"is recommended to make this role immutable, "
|
"is recommended to make this role immutable by "
|
||||||
"which will become the default behavior of the "
|
"adding the 'immutable' resource option to this "
|
||||||
"bootstrap command in the future.You can opt into "
|
"role, or re-running this command without "
|
||||||
"this behavior by using the --immutable-role "
|
"--no-immutable-role.", {'role': role_name})
|
||||||
"flag, or update role %(role)s with the "
|
|
||||||
"'immutable' resource option.",
|
|
||||||
{'role': role_name})
|
|
||||||
return role
|
return role
|
||||||
except exception.Conflict:
|
except exception.Conflict:
|
||||||
LOG.info('Role %s exists, skipping creation.', role_name)
|
LOG.info('Role %s exists, skipping creation.', role_name)
|
||||||
|
|||||||
@ -113,13 +113,19 @@ class BootStrap(BaseApp):
|
|||||||
'placed in during the keystone bootstrap '
|
'placed in during the keystone bootstrap '
|
||||||
'process.'))
|
'process.'))
|
||||||
parser.add_argument('--immutable-roles',
|
parser.add_argument('--immutable-roles',
|
||||||
|
default=True,
|
||||||
|
action='store_true',
|
||||||
|
help=('Whether default roles (admin, member, and '
|
||||||
|
'reader) should be immutable. This is the '
|
||||||
|
'default.'))
|
||||||
|
parser.add_argument('--no-immutable-roles',
|
||||||
default=False,
|
default=False,
|
||||||
action='store_true',
|
action='store_true',
|
||||||
help=('Whether default roles (admin, member, and '
|
help=('Whether default roles (admin, member, and '
|
||||||
'reader) should be immutable. Immutable '
|
'reader) should be immutable. Immutable '
|
||||||
'default roles is currently an opt-in '
|
'default roles is the default, use this '
|
||||||
'behavior, but will become the default in '
|
'flag to opt out of immutable default '
|
||||||
'future releases.'))
|
'roles.'))
|
||||||
return parser
|
return parser
|
||||||
|
|
||||||
def do_bootstrap(self):
|
def do_bootstrap(self):
|
||||||
@ -175,7 +181,10 @@ class BootStrap(BaseApp):
|
|||||||
self.bootstrapper.public_url = self.public_url
|
self.bootstrapper.public_url = self.public_url
|
||||||
self.bootstrapper.internal_url = self.internal_url
|
self.bootstrapper.internal_url = self.internal_url
|
||||||
self.bootstrapper.region_id = self.region_id
|
self.bootstrapper.region_id = self.region_id
|
||||||
self.bootstrapper.immutable_roles = CONF.command.immutable_roles
|
if CONF.command.no_immutable_roles:
|
||||||
|
self.bootstrapper.immutable_roles = False
|
||||||
|
else:
|
||||||
|
self.bootstrapper.immutable_roles = True
|
||||||
|
|
||||||
self.bootstrapper.bootstrap()
|
self.bootstrapper.bootstrap()
|
||||||
self.reader_role_id = self.bootstrapper.reader_role_id
|
self.reader_role_id = self.bootstrapper.reader_role_id
|
||||||
|
|||||||
@ -223,9 +223,9 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||||||
self.bootstrap.reader_role_id)
|
self.bootstrap.reader_role_id)
|
||||||
member_role = PROVIDERS.role_api.get_role(
|
member_role = PROVIDERS.role_api.get_role(
|
||||||
self.bootstrap.member_role_id)
|
self.bootstrap.member_role_id)
|
||||||
self.assertEqual(admin_role['options'], {})
|
self.assertEqual(admin_role['options'], {'immutable': True})
|
||||||
self.assertEqual(member_role['options'], {})
|
self.assertEqual(member_role['options'], {'immutable': True})
|
||||||
self.assertEqual(reader_role['options'], {})
|
self.assertEqual(reader_role['options'], {'immutable': True})
|
||||||
|
|
||||||
def test_bootstrap_is_not_idempotent_when_password_does_change(self):
|
def test_bootstrap_is_not_idempotent_when_password_does_change(self):
|
||||||
# NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with
|
# NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with
|
||||||
@ -299,7 +299,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||||||
user_id,
|
user_id,
|
||||||
self.bootstrap.password)
|
self.bootstrap.password)
|
||||||
|
|
||||||
def test_bootstrap_with_immutable_roles(self):
|
def test_bootstrap_with_explicit_immutable_roles(self):
|
||||||
CONF(args=['bootstrap',
|
CONF(args=['bootstrap',
|
||||||
'--bootstrap-password', uuid.uuid4().hex,
|
'--bootstrap-password', uuid.uuid4().hex,
|
||||||
'--immutable-roles'],
|
'--immutable-roles'],
|
||||||
@ -314,6 +314,35 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||||||
self.assertTrue(member_role['options']['immutable'])
|
self.assertTrue(member_role['options']['immutable'])
|
||||||
self.assertTrue(reader_role['options']['immutable'])
|
self.assertTrue(reader_role['options']['immutable'])
|
||||||
|
|
||||||
|
def test_bootstrap_with_default_immutable_roles(self):
|
||||||
|
CONF(args=['bootstrap',
|
||||||
|
'--bootstrap-password', uuid.uuid4().hex],
|
||||||
|
project='keystone')
|
||||||
|
self._do_test_bootstrap(self.bootstrap)
|
||||||
|
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
|
||||||
|
reader_role = PROVIDERS.role_api.get_role(
|
||||||
|
self.bootstrap.reader_role_id)
|
||||||
|
member_role = PROVIDERS.role_api.get_role(
|
||||||
|
self.bootstrap.member_role_id)
|
||||||
|
self.assertTrue(admin_role['options']['immutable'])
|
||||||
|
self.assertTrue(member_role['options']['immutable'])
|
||||||
|
self.assertTrue(reader_role['options']['immutable'])
|
||||||
|
|
||||||
|
def test_bootstrap_with_no_immutable_roles(self):
|
||||||
|
CONF(args=['bootstrap',
|
||||||
|
'--bootstrap-password', uuid.uuid4().hex,
|
||||||
|
'--no-immutable-roles'],
|
||||||
|
project='keystone')
|
||||||
|
self._do_test_bootstrap(self.bootstrap)
|
||||||
|
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
|
||||||
|
reader_role = PROVIDERS.role_api.get_role(
|
||||||
|
self.bootstrap.reader_role_id)
|
||||||
|
member_role = PROVIDERS.role_api.get_role(
|
||||||
|
self.bootstrap.member_role_id)
|
||||||
|
self.assertNotIn('immutable', admin_role['options'])
|
||||||
|
self.assertNotIn('immutable', member_role['options'])
|
||||||
|
self.assertNotIn('immutable', reader_role['options'])
|
||||||
|
|
||||||
def test_bootstrap_with_ambiguous_role_names(self):
|
def test_bootstrap_with_ambiguous_role_names(self):
|
||||||
# bootstrap system to create the default admin role
|
# bootstrap system to create the default admin role
|
||||||
self._do_test_bootstrap(self.bootstrap)
|
self._do_test_bootstrap(self.bootstrap)
|
||||||
|
|||||||
10
releasenotes/notes/bug-1823258-9649b56a440b5ae1.yaml
Normal file
10
releasenotes/notes/bug-1823258-9649b56a440b5ae1.yaml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
[`bug 1823258 <https://bugs.launchpad.net/keystone/+bug/1823258>`_]
|
||||||
|
The ``keystone-manage bootstrap`` command now defaults to making the
|
||||||
|
default roles (`admin`, `member`, and `reader`) immutable. This has the
|
||||||
|
consequence that if the bootstrap command is re-run on an existing
|
||||||
|
deployment, those roles will become immutable if they were not before. To
|
||||||
|
opt out of this behavior, add the ``--no-immutable-roles`` flag to the
|
||||||
|
bootstrap command.
|
||||||
Loading…
Reference in New Issue
Block a user