OpenStack Identity (keystone)

Can't create both inherited and direct role assignment on same entities

Bug #1403539 reported by Samuel de Medeiros Queiroz on 2014-12-17

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Samuel de Medeiros Queiroz	OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

This bug applies to backend SQL, since it is the only that supports inherited role assignments.

Given a role assignment (actor_id, target_id, role_id, inherited), it should be possible to grant it as both direct and inherited:
- (actor_id, target_id, role_id, inherited=False)
- (actor_id, target_id, role_id, inherited=True)

Currently, it isn't possible since the RoleAssignment table constraint does not include inherited column as primary key [1].

This bug affects inherited functionality on both domains and projects.

[1] https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L776-L777

Samuel de Medeiros Queiroz (samueldmq) on 2014-12-17

Changed in keystone:
assignee:	nobody → Samuel de Medeiros Queiroz (samuel-z)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-17: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/142472

Changed in keystone:
status:	New → In Progress

Revision history for this message

Henry Nash (henry-nash) wrote on 2014-12-31:

It's a fair cop, guv, I did it! Yep, this needs to be possible, as the bug describes.

Lance Bragstad (lbragstad) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-rc1

Morgan Fainberg (mdrnstm) on 2015-03-25

Changed in keystone:
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2015-04-04

Changed in keystone:
assignee:	Samuel de Medeiros Queiroz (samueldmq) → Morgan Fainberg (mdrnstm)

OpenStack Infra (hudson-openstack) on 2015-04-07

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Samuel de Medeiros Queiroz (samueldmq)

Morgan Fainberg (mdrnstm) on 2015-04-07

Changed in keystone:
milestone:	kilo-rc1 → liberty-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-08: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/171596

Morgan Fainberg (mdrnstm) on 2015-04-14

tags:	added: kilo-backport-potential
tags:	added: kilo-rc-potential removed: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-14: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/171596
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=193bcfeaeb1a7827f6298a6267c4c6a4d88c6bcf
Submitter: Jenkins
Branch: master

commit 193bcfeaeb1a7827f6298a6267c4c6a4d88c6bcf
Author: Samuel de Medeiros Queiroz <email address hidden>
Date: Wed Apr 8 08:38:06 2015 -0300

Exposes bug on role assignments creation

    It should be possible to add both inherited and
    non-inherited role assignments for the same actor
    and target with the same role.

However, this is not currently possible. This
patch exposes this bug.

Related-Bug: #1403539

Change-Id: I9ee82b490ca36e9b2d135ef9ead54a2a4c312657

Thierry Carrez (ttx) on 2015-04-30

tags:

removed: kilo-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-02: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/142472
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5a0811f355671c94e985aa888be5472a7920afa4
Submitter: Jenkins
Branch: master

commit 5a0811f355671c94e985aa888be5472a7920afa4
Author: Samuel de Medeiros Queiroz <email address hidden>
Date: Wed Dec 17 12:52:40 2014 -0300

Adds inherited column to RoleAssignment PK

    It should be possible to add both inherited and
    non-inherited role assignments for the same actor
    and target with the same role.

    However, this was not currently possible since
    the inherited column was not part of the PK of
    the assignment table.

This patch alters the table definition and adds a
migration script and tests for it.

Closes-Bug: #1403539

Change-Id: I1ba4935934b0dc6b6077d18761023ad50462c8b8

Changed in keystone:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-1 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1484577

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.