Empty mappring engine white/black lists should be treated differently than lack of them.
Bug #1434653 reported by
Marek Denis
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Low
|
Marek Denis | ||
Bug Description
Keystone mapping engine should correctly distinguish between empty black/whitelists and lack of them in the mapping rules.
Today, a mapping rule with
{
"local": [....],
"remote: [
{
}
]
}
will pass all the values conveyed under the parameter "x", whereas it should block (whitelist 0 elements) all the elements.
Since mapping engine rules engine about groups/roles assigned to the user it's extremely important to make the rules logic as strict as possible.
| Changed in keystone: | |
| assignee: | nobody → Marek Denis (marek-denis) |
| Changed in keystone: | |
| status: | New → In Progress |
| Changed in keystone: | |
| importance: | Undecided → Low |
| Changed in keystone: | |
| milestone: | none → kilo-rc1 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #1 |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
| Changed in keystone: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | kilo-rc1 → 2015.1.0 |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 19190d651893469
Author: Adam Young <email address hidden>
Date: Mon Mar 16 13:34:59 2015 -0400
Distinguish between unset and empty black and white lists
With this patch the matching logic is as follows:
*) No whitelist specified - accept all values
*) Empty whitelist specified - discard all values
*) No blacklist specified - accept all values
*) Empty blacklist specified -accept all values
Closes-Bug: #1434653
Change-Id: I572d5044b74918