OpenStack Identity (keystone)

Project tokens issued from a saml2 auth are missing inherited group roles

Bug #1389752 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Henry Nash
OpenStack Identity (keystone) 2015.1.0 "kilo"
Juno
Fix Released
High
Brant Knudson
OpenStack Identity (keystone) 2014.2.2

Bug Description

When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token.

The implication is that project scoped tokens would not get any group roles that should be inherited from the domain.

Revision history for this message
Henry Nash (henry-nash) wrote :

This is the "project" equivalent of https://bugs.launchpad.net/keystone/+bug/1385533, separated out so we can fix them separately.

Changed in keystone:
importance: Undecided → High
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/133299

Changed in keystone:
status: New → In Progress
Henry Nash (henry-nash)
tags: added: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/133299
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bfbe1ee96c871163e4af0eca7568e13be72b8fde
Submitter: Jenkins
Branch: master

commit bfbe1ee96c871163e4af0eca7568e13be72b8fde
Author: Henry Nash <email address hidden>
Date: Fri Nov 7 17:27:46 2014 +0000

    Fix project federation tokens for inherited roles.

    Currently project-scoped federation-generated tokens fail to include
    group roles that are inherited to the project from the owning domain.
    This error is also exposed via the /auth/projects and
    /OS-FEDERATION/projects API calls. This patch patch fixes this.

    Change-Id: I1ce5007984938365208630ad901c7c508c57fcd4
    Closes-bug: 1389752
    Closes-bug: 1385694

Changed in keystone:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142548

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/142548
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e5b660e170170fe193e8e650a0c0f6c8e2f7a7db
Submitter: Jenkins
Branch: stable/juno

commit e5b660e170170fe193e8e650a0c0f6c8e2f7a7db
Author: Henry Nash <email address hidden>
Date: Fri Nov 7 17:27:46 2014 +0000

    Fix project federation tokens for inherited roles.

    Currently project-scoped federation-generated tokens fail to include
    group roles that are inherited to the project from the owning domain.
    This error is also exposed via the /auth/projects and
    /OS-FEDERATION/projects API calls. This patch patch fixes this.

    (cherry picked from commit bfbe1ee96c871163e4af0eca7568e13be72b8fde)

    Backport note: New tests added to test_backend_kvs.KVSIdentity
    because the KVS backend didn't support the function in Juno.

    Change-Id: I1ce5007984938365208630ad901c7c508c57fcd4
    Closes-bug: 1389752
    Closes-bug: 1385694

Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.