OpenStack Identity (keystone)

Unimplemented get roles by group for project list

Bug #1284639 reported by Marcos Lobo on 2014-02-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Marcos Lobo	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

The list_projects_for_user() function on LDAP assignment backend only search projects with associations across user_id, not across group_ids. This function admits the group_ids parameter, but never is used on the body of the function.

I think is necessary change this function to can search projects with associations across user_id and group_id.

USE CASE:
---------------
Check if user named 'u1' (inside group 'G2') has grants on project named 'p1'. We have this hierarchy:

P1 <- G1 <- G2 <- U1

In this use case, user 'U1' should have grants on project 'P1' because user 'U1' belongs to group 'G2', 'G2' belongs to 'G1', and 'G1' has grants on 'P1'.

What happens to the current code:
----------------------------------------------------
User 'U1' has not grants on project 'P1'. That is because list_projects_for_user() only search associations between user and project directly and not between groups and projects.

See original description

Tags:

Marcos Lobo (marcos-fermin-lobo) on 2014-02-25

Changed in keystone:
assignee:	nobody → Marcos Lobo (marcos-fermin-lobo)

Marcos Lobo (marcos-fermin-lobo) on 2014-02-25

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/76470

Changed in keystone:
status:	New → In Progress

Dolph Mathews (dolph) on 2014-03-05

Changed in keystone:
importance:	Undecided → Wishlist

Dolph Mathews (dolph) on 2014-04-04

tags:	added: ldap
Changed in keystone:
milestone:	none → juno-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-03: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/76470
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=33a3822ecd3095f36983d88439644dc90446e896
Submitter: Jenkins
Branch: master

commit 33a3822ecd3095f36983d88439644dc90446e896
Author: Marcos Lobo <email address hidden>
Date: Wed Feb 26 10:10:00 2014 +0100

Unimplemented get roles by group for project list

    The list_projects_for_user() function on LDAP assignment backend only
    listed projects with associations across user_id, not across group_ids.
    This function admits the group_ids parameter, but never is used on the
    body of the function.

Change-Id: I0ff6791e11aa18ffb3a4407e8e5958ac03f2086b
Closes-Bug: #1284639

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-06-11

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.