OpenStack Identity (keystone)

User roles are replaced by group roles in v3 tokens

Bug #1197874 reported by Henry Nash
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Henry Nash
OpenStack Identity (keystone) 2013.2 "havana"
Grizzly
Fix Released
Critical
Henry Nash
OpenStack Identity (keystone) 2013.1.3

Bug Description

For v3 tokens, if there are any group roles for the required scope (e.g. domain or project), then ONLY these roles will be returned, at the expense of any non-group (i.e directly assigned) roles.

This is caused by incorrect coding in the driver calls of "get_roles_for_user_and_project()" and "get_roles_for_user_and_domain()" where a dict update method is used to try and add group roles into the user ones. Incredibly, despite lots of unit testing around this area, there isn't one that checks that both user and group roles are returned.

The v2 tokens are unaffected, since they don't call these functions, but rather add the group roles in manually.

The problem was discovered when implementing https://blueprints.launchpad.net/keystone/+spec/authenticate-role-rationalization which looked to handle all such role combination in one place. Since I suspect we will want to back-port this particular fix to stable/grizzly, I have broken this out as a separate patch.

See original description
Henry Nash (henry-nash)
description: updated
Revision history for this message
Henry Nash (henry-nash) wrote :

A further issue is that if you have multiple group roles on an entity, only the roles for one of the groups will be included (the same incorrect code will overwrite the roles for previous groups in the list being built for the token)

Changed in keystone:
importance: High → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/35739

Changed in keystone:
status: New → In Progress
Henry Nash (henry-nash)
description: updated
Dolph Mathews (dolph)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/35739
Committed: http://github.com/openstack/keystone/commit/22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1
Submitter: Jenkins
Branch: master

commit 22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1
Author: Henry Nash <email address hidden>
Date: Fri Jul 5 06:04:25 2013 +0100

    Fix issue with v3 tokens and group membership roles

    The driver calls used by v3 token controllers to obtain roles
    for a user on both project and domain were incorrectly implemented,
    leading to roles being missed out of the token. v2 tokens are not
    affected, since they don't use the same driver calls.

    This fixes these functions and adds additonal tests to cover the
    cases (all of which would fail without this patch). As part of this
    fix, the implementation of "get_roles_for_user_and_project() is
    pulled up into the driver class (like the domain equivalent is already),
    since, for all implementations, it is independant of backend technology.

    Fixes bug 1197874

    Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/38484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/38484
Committed: http://github.com/openstack/keystone/commit/27a5b42dbbdcb1f10138542cfa2fc5584470bace
Submitter: Jenkins
Branch: stable/grizzly

commit 27a5b42dbbdcb1f10138542cfa2fc5584470bace
Author: Henry Nash <email address hidden>
Date: Fri Jul 5 06:04:25 2013 +0100

    Fix issue with v3 tokens and group membership roles

    The driver calls used by v3 token controllers to obtain roles
    for a user on both project and domain were incorrectly implemented,
    leading to roles being missed out of the token. v2 tokens are not
    affected, since they don't use the same driver calls.

    This fixes these functions and adds additonal tests to cover the
    cases (all of which would fail without this patch). As part of this
    fix, the implementation of "get_roles_for_user_and_project() is
    pulled up into the driver class (like the domain equivalent is already),
    since, for all implementations, it is independant of backend technology.

    Fixes bug 1197874

    Change-Id: I48aaf79241c87377c6940ab6193fc3acd4006c94

Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.