OpenStack Identity (keystone)

/auth/domains incorrectly includes domains with only group inherited roles

Bug #1385643 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Henry Nash
OpenStack Identity (keystone) 2015.1.0 "kilo"
Juno
Fix Released
Medium
Brant Knudson

Bug Description

The /auth/domains API call is meant to return list of domains for which the user could ask for a domain-scoped token - i.e. any domain on which they have a role. However, the code does not differentiate between inherited and non-inherited group roles - and hence might include domains for which the user has no effective role (a domain inherited role ONLY applies to the projects within that domain, not to the domain itself).

See original description
Revision history for this message
Henry Nash (henry-nash) wrote : Re: /auth/domains incorrectly includes domains with only inherited roles

I found this doing a WIP code experiment for making assignments pluggable (see: https://review.openstack.org/#/c/129397/). It is clear that we have far too many ways of trying to work out what roles are effective on a given project or domain. Once we have improved the backend list_role_assignments() method (see: https://review.openstack.org/#/c/116682/), we should consider re-writing many of the these calls to be based on the common method.

summary: - /auth/domains incorrectly includes domain with only inherited roles
+ /auth/domains incorrectly includes domains with only inherited roles
Changed in keystone:
importance: Undecided → Medium
assignee: nobody → Henry Nash (henry-nash)
Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/132872

Changed in keystone:
status: Triaged → In Progress
Henry Nash (henry-nash)
summary: - /auth/domains incorrectly includes domains with only inherited roles
+ /auth/domains incorrectly includes domains with only group inherited
+ roles
description: updated
Henry Nash (henry-nash)
tags: added: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/132872
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1f54bebe65897b57845e09bd4e8d12ccc9323139
Submitter: Jenkins
Branch: master

commit 1f54bebe65897b57845e09bd4e8d12ccc9323139
Author: Henry Nash <email address hidden>
Date: Wed Nov 5 15:09:54 2014 +0000

    Fix domain federation tokens for inherited roles.

    Currently domain-scoped federation-generated tokens incorrectly
    include group roles that are inherited to projects within that domain.
    This error is also exposed via the /auth/domains and
    /OS-FEDERATION/domains API calls. This patch fixes this.

    Change-Id: I2b5c1e3d695dd7b27bf3b15361fccb5c13bdd554
    Closes-bug: 1385533
    Closes-bug: 1385643

Changed in keystone:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/142546
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5ec73571b7a1698f21c6c7d7ab95d42708d3d9e6
Submitter: Jenkins
Branch: stable/juno

commit 5ec73571b7a1698f21c6c7d7ab95d42708d3d9e6
Author: Henry Nash <email address hidden>
Date: Wed Nov 5 15:09:54 2014 +0000

    Fix domain federation tokens for inherited roles.

    Currently domain-scoped federation-generated tokens incorrectly
    include group roles that are inherited to projects within that domain.
    This error is also exposed via the /auth/domains and
    /OS-FEDERATION/domains API calls. This patch fixes this.

    (cherry picked from commit 1f54bebe65897b57845e09bd4e8d12ccc9323139)

    Backport note: New tests were added to test_backend_kvs.KVSIdentity
    because the KVS backend didn't support the function in Juno.

    Change-Id: I2b5c1e3d695dd7b27bf3b15361fccb5c13bdd554
    Closes-bug: 1385533
    Closes-bug: 1385643

Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.