Merge "Default to bootstrapping roles as immutable"

This commit is contained in:
Zuul 2020-02-12 05:47:01 +00:00 committed by Gerrit Code Review
commit b3cbf60c3c
4 changed files with 60 additions and 15 deletions

View File

@ -122,13 +122,10 @@ class Bootstrapper(object):
LOG.info('Created role %s', role_name)
if not self.immutable_roles:
LOG.warning("Role %(role)s was created as a mutable role. It "
"is recommended to make this role immutable, "
"which will become the default behavior of the "
"bootstrap command in the future.You can opt into "
"this behavior by using the --immutable-role "
"flag, or update role %(role)s with the "
"'immutable' resource option.",
{'role': role_name})
"is recommended to make this role immutable by "
"adding the 'immutable' resource option to this "
"role, or re-running this command without "
"--no-immutable-role.", {'role': role_name})
return role
except exception.Conflict:
LOG.info('Role %s exists, skipping creation.', role_name)

View File

@ -113,13 +113,19 @@ class BootStrap(BaseApp):
'placed in during the keystone bootstrap '
'process.'))
parser.add_argument('--immutable-roles',
default=True,
action='store_true',
help=('Whether default roles (admin, member, and '
'reader) should be immutable. This is the '
'default.'))
parser.add_argument('--no-immutable-roles',
default=False,
action='store_true',
help=('Whether default roles (admin, member, and '
'reader) should be immutable. Immutable '
'default roles is currently an opt-in '
'behavior, but will become the default in '
'future releases.'))
'default roles is the default, use this '
'flag to opt out of immutable default '
'roles.'))
return parser
def do_bootstrap(self):
@ -175,7 +181,10 @@ class BootStrap(BaseApp):
self.bootstrapper.public_url = self.public_url
self.bootstrapper.internal_url = self.internal_url
self.bootstrapper.region_id = self.region_id
self.bootstrapper.immutable_roles = CONF.command.immutable_roles
if CONF.command.no_immutable_roles:
self.bootstrapper.immutable_roles = False
else:
self.bootstrapper.immutable_roles = True
self.bootstrapper.bootstrap()
self.reader_role_id = self.bootstrapper.reader_role_id

View File

@ -223,9 +223,9 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id)
self.assertEqual(admin_role['options'], {})
self.assertEqual(member_role['options'], {})
self.assertEqual(reader_role['options'], {})
self.assertEqual(admin_role['options'], {'immutable': True})
self.assertEqual(member_role['options'], {'immutable': True})
self.assertEqual(reader_role['options'], {'immutable': True})
def test_bootstrap_is_not_idempotent_when_password_does_change(self):
# NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with
@ -299,7 +299,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
user_id,
self.bootstrap.password)
def test_bootstrap_with_immutable_roles(self):
def test_bootstrap_with_explicit_immutable_roles(self):
CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex,
'--immutable-roles'],
@ -314,6 +314,35 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
self.assertTrue(member_role['options']['immutable'])
self.assertTrue(reader_role['options']['immutable'])
def test_bootstrap_with_default_immutable_roles(self):
CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex],
project='keystone')
self._do_test_bootstrap(self.bootstrap)
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
reader_role = PROVIDERS.role_api.get_role(
self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id)
self.assertTrue(admin_role['options']['immutable'])
self.assertTrue(member_role['options']['immutable'])
self.assertTrue(reader_role['options']['immutable'])
def test_bootstrap_with_no_immutable_roles(self):
CONF(args=['bootstrap',
'--bootstrap-password', uuid.uuid4().hex,
'--no-immutable-roles'],
project='keystone')
self._do_test_bootstrap(self.bootstrap)
admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
reader_role = PROVIDERS.role_api.get_role(
self.bootstrap.reader_role_id)
member_role = PROVIDERS.role_api.get_role(
self.bootstrap.member_role_id)
self.assertNotIn('immutable', admin_role['options'])
self.assertNotIn('immutable', member_role['options'])
self.assertNotIn('immutable', reader_role['options'])
def test_bootstrap_with_ambiguous_role_names(self):
# bootstrap system to create the default admin role
self._do_test_bootstrap(self.bootstrap)

View File

@ -0,0 +1,10 @@
---
upgrade:
- |
[`bug 1823258 <https://bugs.launchpad.net/keystone/+bug/1823258>`_]
The ``keystone-manage bootstrap`` command now defaults to making the
default roles (`admin`, `member`, and `reader`) immutable. This has the
consequence that if the bootstrap command is re-run on an existing
deployment, those roles will become immutable if they were not before. To
opt out of this behavior, add the ``--no-immutable-roles`` flag to the
bootstrap command.