Domain tokens issued from a saml2 auth incorrectly includes group roles marked as inherited
Bug #1385533 reported by
Henry Nash
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Henry Nash | ||
Juno |
Fix Released
|
High
|
Brant Knudson |
Bug Description
When building the roles in a Keystone token from a saml2 token, we call assignment_
The implication is that domain scoped tokens would incorrectly get roles that were meant to be inherited (only) to projects within that domain.
Changed in keystone: | |
importance: | Undecided → High |
description: | updated |
summary: |
- Tokens issued from a saml2 auth ignore inheritance of group roles + Tokens issued from a saml2 auth ignores inheritance of group roles |
description: | updated |
description: | updated |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Henry Nash (henry-nash) |
summary: |
- Tokens issued from a saml2 auth ignores inheritance of group roles + Domain tokens issued from a saml2 auth ignores inheritance of group + roles |
description: | updated |
summary: |
- Domain tokens issued from a saml2 auth ignores inheritance of group - roles + Domain tokens issued from a saml2 auth incorrectly includes group roles + marked as inherited |
tags: | added: juno-backport-potential |
Changed in keystone: | |
milestone: | none → kilo-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
I found this doing a WIP code experiment for making assignments pluggable (see: https:/ /review. openstack. org/#/c/ 129397/). It is clear that we have far too many ways of trying to work out what roles are effective on a given project or domain. Once we have improved the backend list_role_ assignments( ) method (see: https:/ /review. openstack. org/#/c/ 116682/), we should consider re-writing many of the these calls to be based on the common method.