User roles are replaced by group roles in v3 tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Henry Nash | ||
Grizzly |
Fix Released
|
Critical
|
Henry Nash |
Bug Description
For v3 tokens, if there are any group roles for the required scope (e.g. domain or project), then ONLY these roles will be returned, at the expense of any non-group (i.e directly assigned) roles.
This is caused by incorrect coding in the driver calls of "get_roles_
The v2 tokens are unaffected, since they don't call these functions, but rather add the group roles in manually.
The problem was discovered when implementing https:/
description: | updated |
description: | updated |
tags: | added: grizzly-backport-potential |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
tags: | removed: grizzly-backport-potential |
Changed in keystone: | |
milestone: | havana-2 → 2013.2 |
A further issue is that if you have multiple group roles on an entity, only the roles for one of the groups will be included (the same incorrect code will overwrite the roles for previous groups in the list being built for the token)