OpenStack Identity (keystone)

LDAP group role assignment becomes user assignment

Bug #1365787 reported by Brant Knudson on 2014-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

When I configure Keystone with the LDAP backend, creating a group role assignment winds up being a user role assignment.

Here's steps to recreate:

Start with devstack configured to use LDAP

$ openstack group create blktest1
+-----------+--------------------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------------------+
| domain_id | default |
| id | 33888a7d75274497bb1e7a05fc17a748 |
| links | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} |
| name | blktest1 |
+-----------+--------------------------------------------------------------------------------------+

$ GROUP_ID=33888a7d75274497bb1e7a05fc17a748

$ openstack role list
| 1fbe54e498ad483cb900735715926032 | anotherrole |

$ ROLE_ID=1fbe54e498ad483cb900735715926032

$ openstack project list
| 111681b688eb4460b464745f461ad0ce | demo |

PROJECT_ID=111681b688eb4460b464745f461ad0ce

# Get a token since I can't find an openstack command to add role assignment...

$ curl ...

$ TOKEN=PKIZ...

# Create the GROUP role assignment

$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \
http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID
HTTP/1.1 204 No Content

# Check the results. Now it's a user role assignment.

# Also check the REST response since maybe it's in openstack command:

$ curl -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/role_assignments | python -mjson.tool

...
{
"links": {
    "assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032"
},
"role": {
    "id": "1fbe54e498ad483cb900735715926032"
},
"scope": {
    "project": {
        "id": "111681b688eb4460b464745f461ad0ce"
    }
},
"user": {
    "id": "33888a7d75274497bb1e7a05fc17a748"
}
},
...

It's got user where it should be group.

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-09-05:

The role entry looks correct:

dn: cn=1fbe54e498ad483cb900735715926032,cn=111681b688eb4460b464745f461ad0ce,ou
=Projects,dc=openstack,dc=org
objectClass: organizationalRole
roleOccupant: cn=8fa4aa9d5584421eb8fa22ad01ff806a,ou=Users,dc=openstack,dc=org
roleOccupant: cn=dumb,dc=nonexistent
roleOccupant: cn=33888a7d75274497bb1e7a05fc17a748,ou=UserGroups,dc=openstack,d
c=org
cn: 1fbe54e498ad483cb900735715926032

So it must be the code that's getting role assignments.

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-09-05:

The problem is here in keystone.assignment.backends.ldap:RoleApi.list_role_assignments. http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/ldap.py#n671

It assumes that all role assignments are user-project role assignments, but there are group-project, user-domain, and group-domain assignments.

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119478

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05:

Fix proposed to branch: master
Review: https://review.openstack.org/119479

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05:

Fix proposed to branch: master
Review: https://review.openstack.org/119480

Brant Knudson (blk-u) on 2014-09-05

Changed in keystone:
milestone:	none → juno-rc1

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-09-06:

Just to clarify, the user reference is invalid (since it's a group) so this isn't enabling any unintended authorization, correct?

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-09-07:

I don't think it's enabling unintended authorization in Keystone because this only affects the response for list role assignments as far as I can tell. Keystone isn't using this result internally to tell if a group has a role.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/119478
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c0b51d79a334b297a92d29a83a12504290a35fe5
Submitter: Jenkins
Branch: master

commit c0b51d79a334b297a92d29a83a12504290a35fe5
Author: Brant Knudson <email address hidden>
Date: Fri Sep 5 14:54:44 2014 -0500

Fix dn_startswith

The dn_startswith function was using the wrong expression to extract
the last part of the DN.

Change-Id: I98eefe499523c3f769c449bf7efa7cb8bb05926d
Partial-Bug: #1365787

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-08:

Reviewed: https://review.openstack.org/119479
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3aa937667d3ab0b26266d10911f4760a54a6e4f4
Submitter: Jenkins
Branch: master

commit 3aa937667d3ab0b26266d10911f4760a54a6e4f4
Author: Brant Knudson <email address hidden>
Date: Fri Sep 5 15:41:20 2014 -0500

Add characterization test for group role assignment listing

    There was no test that shows what happens when a group assignment is
    created and the role assignments are listed (for all backends). The
    LDAP assignment backend works incorrectly in that it returns user
    assignments for group assignments.

Change-Id: I69bc3501cc5eae3039d805ed006821d6927f0440
Partial-Bug: #1365787

OpenStack Infra (hudson-openstack) on 2014-09-08

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Henry Nash (henry-nash)

OpenStack Infra (hudson-openstack) on 2014-09-09

Changed in keystone:
assignee:	Henry Nash (henry-nash) → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-13:

#10

Reviewed: https://review.openstack.org/119480
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4356b1e24795ff194304686ae572592a5bfa15ad
Submitter: Jenkins
Branch: master

commit 4356b1e24795ff194304686ae572592a5bfa15ad
Author: Brant Knudson <email address hidden>
Date: Fri Sep 5 13:57:31 2014 -0500

Fix LDAP group role assignment listing

    The Keystone server would return group assignments as user
    assignments when listing roles assignments and configured to use
    the LDAP assignment backend.

Change-Id: Icd4f2b7f7f68e8f8b586fd756f7570fd6439e8de
Closes-Bug: #1365787

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-30

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.