OpenStack Identity (keystone)

Domain tokens issued from a saml2 auth incorrectly includes group roles marked as inherited

Bug #1385533 reported by Henry Nash
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Henry Nash
OpenStack Identity (keystone) 2015.1.0 "kilo"
Juno
Fix Released
High
Brant Knudson
OpenStack Identity (keystone) 2014.2.2

Bug Description

When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token.

The implication is that domain scoped tokens would incorrectly get roles that were meant to be inherited (only) to projects within that domain.

See original description
Henry Nash (henry-nash)
Changed in keystone:
importance: Undecided → High
description: updated
Revision history for this message
Henry Nash (henry-nash) wrote :

I found this doing a WIP code experiment for making assignments pluggable (see: https://review.openstack.org/#/c/129397/). It is clear that we have far too many ways of trying to work out what roles are effective on a given project or domain. Once we have improved the backend list_role_assignments() method (see: https://review.openstack.org/#/c/116682/), we should consider re-writing many of the these calls to be based on the common method.

Henry Nash (henry-nash)
summary: - Tokens issued from a saml2 auth ignore inheritance of group roles
+ Tokens issued from a saml2 auth ignores inheritance of group roles
description: updated
description: updated
description: updated
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
Morgan Fainberg (mdrnstm) wrote : Re: Tokens issued from a saml2 auth ignores inheritance of group roles

OS-INHERIT should be made a core-API and moved out of the extension.

Changed in keystone:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/132872

Changed in keystone:
status: Triaged → In Progress
Henry Nash (henry-nash)
summary: - Tokens issued from a saml2 auth ignores inheritance of group roles
+ Domain tokens issued from a saml2 auth ignores inheritance of group
+ roles
Henry Nash (henry-nash)
description: updated
summary: - Domain tokens issued from a saml2 auth ignores inheritance of group
- roles
+ Domain tokens issued from a saml2 auth incorrectly includes group roles
+ marked as inherited
Henry Nash (henry-nash)
tags: added: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/132872
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1f54bebe65897b57845e09bd4e8d12ccc9323139
Submitter: Jenkins
Branch: master

commit 1f54bebe65897b57845e09bd4e8d12ccc9323139
Author: Henry Nash <email address hidden>
Date: Wed Nov 5 15:09:54 2014 +0000

    Fix domain federation tokens for inherited roles.

    Currently domain-scoped federation-generated tokens incorrectly
    include group roles that are inherited to projects within that domain.
    This error is also exposed via the /auth/domains and
    /OS-FEDERATION/domains API calls. This patch fixes this.

    Change-Id: I2b5c1e3d695dd7b27bf3b15361fccb5c13bdd554
    Closes-bug: 1385533
    Closes-bug: 1385643

Changed in keystone:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/142546
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5ec73571b7a1698f21c6c7d7ab95d42708d3d9e6
Submitter: Jenkins
Branch: stable/juno

commit 5ec73571b7a1698f21c6c7d7ab95d42708d3d9e6
Author: Henry Nash <email address hidden>
Date: Wed Nov 5 15:09:54 2014 +0000

    Fix domain federation tokens for inherited roles.

    Currently domain-scoped federation-generated tokens incorrectly
    include group roles that are inherited to projects within that domain.
    This error is also exposed via the /auth/domains and
    /OS-FEDERATION/domains API calls. This patch fixes this.

    (cherry picked from commit 1f54bebe65897b57845e09bd4e8d12ccc9323139)

    Backport note: New tests were added to test_backend_kvs.KVSIdentity
    because the KVS backend didn't support the function in Juno.

    Change-Id: I2b5c1e3d695dd7b27bf3b15361fccb5c13bdd554
    Closes-bug: 1385533
    Closes-bug: 1385643

Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.