Bug 1326392 - [RFE] Implement Secure RBAC Project Scoped Personas within glance
Summary: [RFE] Implement Secure RBAC Project Scoped Personas within glance
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance
Version: 7.0 (Kilo)
Hardware: All
OS: Linux
high
medium
Target Milestone: ga
: 17.1
Assignee: Abhishek Kekane
QA Contact: msava
Jenny-Anne Lynch
URL:
Whiteboard:
: 1901689 (view as bug list)
Depends On: 1228474 1801416 2192190 2192191 2192193
Blocks: 1381612 1936302
TreeView+ depends on / blocked
 
Reported: 2016-04-12 15:01 UTC by Jaison Raju
Modified: 2023-12-15 04:25 UTC (History)
27 users (show)

Fixed In Version: openstack-glance-22.1.0-0.20210917121835.8499efd.el8ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-16 01:09:22 UTC
Target Upstream Version:
Embargoed:
akekane: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 763208 0 None MERGED Update the task policies 2021-03-15 13:50:16 UTC
OpenStack gerrit 764241 0 None MERGED Add basic/common personas to base policies 2021-03-15 13:50:22 UTC
OpenStack gerrit 764754 0 None MERGED Implement project personas for image actions 2021-03-15 13:50:26 UTC
OpenStack gerrit 767425 0 None MERGED Pass oslo.context RequestContext objects directly to policy enforcement 2021-03-02 17:34:37 UTC
OpenStack gerrit 773566 0 None MERGED Add devstack plugin script 2021-03-02 17:34:37 UTC
OpenStack gerrit 773568 0 None MERGED Implement API protection testing for images 2021-03-15 13:50:32 UTC
OpenStack gerrit 774309 0 None MERGED Properly handle InvalidScope exceptions 2021-03-02 17:34:37 UTC
OpenStack gerrit 775742 0 None MERGED Add tests for image membership, deactivation, and reactivation 2021-03-15 13:50:40 UTC
OpenStack gerrit 776588 0 None MERGED Fail to start if authorization and policy is misconfigured 2021-03-15 13:50:43 UTC
OpenStack gerrit 778079 0 None MERGED Add glance functional protection tests to check and gate 2021-03-15 13:50:51 UTC
Red Hat Issue Tracker OSP-347 0 None None None 2021-11-22 18:28:08 UTC

Description Jaison Raju 2016-04-12 15:01:20 UTC 
1. Proposed title of this feature request  
Need glance policy to be configured to include a read-only role .
  
3. What is the nature and description of the request?  
Customer has requirement of read-only admin role for all core services .

4. Why does the customer need this? (List the business requirements here)  
  A read-only admin user is necessary for customer environment .
  
Additional info:
The following bug is raised for keystone to add role .
This role can be configured in policy file .
Bug 1228474 - [RFE] Read only role for tenant access (edit) 
https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role
Comment 3 Cyril Roelandt 2016-04-15 15:01:24 UTC 
Hi,

I must say I agree with Jamie Lennox's comment on this other bug: https://bugzilla.redhat.com/show_bug.cgi?id=1228474 . Defining roles really seems to be up to the user, or to the installer. I don't think such a change would be welcome upstream, nor could we easily maintain it downstream. Maybe this should be re-targeted to the installer? What do you think?
Comment 9 Cyril Roelandt 2020-09-03 18:23:37 UTC 
@rmascena This used to be a Glance bug, then it became a director bug, and you've just move it to Glance again. What has changed since we last discussed this bug?
Comment 15 Gregory Charot 2021-04-14 10:20:37 UTC 
*** Bug 1901689 has been marked as a duplicate of this bug. ***
Comment 18 Abhishek Kekane 2021-06-30 14:02:09 UTC 
NOTE:

We have completed implementation of project member and project reader role for all APIs except metadef in wallaby cycle.
Admin will continue to work as it is working earlier and will be modified once system scope is introduced.
Comment 23 Cyril Roelandt 2021-11-24 21:42:59 UTC 
The Glance part of this feature can probably be tested already using the latest RPM.


@Lance: should we have a separate bug for the THT work?
Comment 36 Lukas Svaty 2023-06-16 08:13:29 UTC 
Bulk moving target milestone to GA after the release of Beta on 14th June '23.
Comment 45 errata-xmlrpc 2023-08-16 01:09:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577
Comment 46 Red Hat Bugzilla 2023-12-15 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.