OpenStack Identity (keystone)

/auth/projects fails to include any projects that have inherited group roles

Bug #1385694 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Henry Nash
OpenStack Identity (keystone) 2015.1.0 "kilo"
Juno
Fix Released
High
Brant Knudson

Bug Description

The /auth/projects API call is meant to return list of projects for which the user could ask for a project-scoped token - i.e. any project on which they have a role. However, the code does not look at any roles that a group may have on a domain that are marked as inherited to projects - hence failing to include these projects in the list.

See original description
Revision history for this message
Henry Nash (henry-nash) wrote :

As an aside, it DOES check for user inherited roles, just not group ones.

Revision history for this message
Henry Nash (henry-nash) wrote :

I found this doing a WIP code experiment for making assignments pluggable (see: https://review.openstack.org/#/c/129397/). It is clear that we have far too many ways of trying to work out what roles are effective on a given project or domain. Once we have improved the backend list_role_assignments() method (see: https://review.openstack.org/#/c/116682/), we should consider re-writing many of the these calls to be based on the common method.

Changed in keystone:
importance: Undecided → Medium
assignee: nobody → Henry Nash (henry-nash)
Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Confirmed
status: Confirmed → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/133299

Changed in keystone:
status: Triaged → In Progress
Henry Nash (henry-nash)
description: updated
Henry Nash (henry-nash)
tags: added: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/133299
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bfbe1ee96c871163e4af0eca7568e13be72b8fde
Submitter: Jenkins
Branch: master

commit bfbe1ee96c871163e4af0eca7568e13be72b8fde
Author: Henry Nash <email address hidden>
Date: Fri Nov 7 17:27:46 2014 +0000

    Fix project federation tokens for inherited roles.

    Currently project-scoped federation-generated tokens fail to include
    group roles that are inherited to the project from the owning domain.
    This error is also exposed via the /auth/projects and
    /OS-FEDERATION/projects API calls. This patch patch fixes this.

    Change-Id: I1ce5007984938365208630ad901c7c508c57fcd4
    Closes-bug: 1389752
    Closes-bug: 1385694

Changed in keystone:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142548

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/142548
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e5b660e170170fe193e8e650a0c0f6c8e2f7a7db
Submitter: Jenkins
Branch: stable/juno

commit e5b660e170170fe193e8e650a0c0f6c8e2f7a7db
Author: Henry Nash <email address hidden>
Date: Fri Nov 7 17:27:46 2014 +0000

    Fix project federation tokens for inherited roles.

    Currently project-scoped federation-generated tokens fail to include
    group roles that are inherited to the project from the owning domain.
    This error is also exposed via the /auth/projects and
    /OS-FEDERATION/projects API calls. This patch patch fixes this.

    (cherry picked from commit bfbe1ee96c871163e4af0eca7568e13be72b8fde)

    Backport note: New tests added to test_backend_kvs.KVSIdentity
    because the KVS backend didn't support the function in Juno.

    Change-Id: I1ce5007984938365208630ad901c7c508c57fcd4
    Closes-bug: 1389752
    Closes-bug: 1385694

Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.