OpenStack Identity (keystone)

CRUD grant don't check user_id and group_id

Bug #1343932 reported by Marcos Lobo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Expired
Low
Unassigned

Bug Description

In Icehouse release, CRUD grant functions[1] don't check if user_id and group_id exists.

role_id, domain_id and project_id are checked and I don't see any reason to not check if the user_id and group_ids are valid. I think we should change these functions to check if the user and/or group exists before creating/updating the grant.

[1] https://github.com/openstack/keystone/blob/stable/icehouse/keystone/assignment/backends/ldap.py#L347

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/107973

Changed in keystone:
assignee: nobody → Marcos Lobo (marcos-fermin-lobo)
status: New → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Is this causing a misbehavior in a specific use case?

Changed in keystone:
importance: Undecided → Low
Revision history for this message
Lance Bragstad (lbragstad) wrote :

In the description it says this effects stable/icehouse, but the code review changes current master code. One should be updated to reflect the other.

Revision history for this message
Dolph Mathews (dolph) wrote :

Lance: if the issue exists in master, we need to fix it there first, and then backport the change to icehouse.

tags: added: icehouse-backport-potential
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

I just want to comment on this bug and I agree with Henry Nash's assessment of the fix proposed:

 <Henry's comment>
Patch Set 4: Code-Review-2
So this issue has been discussed many times. In fact our code USED to do this. We removed these checks, since we do not want the assignment backend calling the identity backend. In some cases, the user/groups IDs might not even permenently exist in identity (e.g. Federation).
<end comment>

This is, based upon the many conversations we've had on this topic, working as intended. We should not be checking the user exists / group exists (we've talked this to death at the summits as well).

While the current federation does make use of groups in identity, I don't think there is general consensus that we should be checking validity of user/group when assigning grants.

Lance Bragstad (lbragstad)
description: updated
Changed in keystone:
status: In Progress → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Marcos Fermín Lobo (<email address hidden>) on branch: master
Review: https://review.openstack.org/107973
Reason: Thanks to Henry Nash for the information.

Morgan Fainberg (mdrnstm)
Changed in keystone:
assignee: Marcos Lobo (marcos-fermin-lobo) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.