OpenStack Identity (keystone)

Token for trust does not expand implied roles

Bug #1543318 reported by Adam Young on 2016-02-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Adam Young	OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

def test_trusts_from_implied_role(self):
        self._create_three_roles()
        self._create_implied_role(self.role_list[0], self.role_list[1])
        self._create_implied_role(self.role_list[1], self.role_list[2])
        self._assign_top_role_to_user_on_project(self.user, self.project)

        # Create a trustee and assign the prior role to her
        trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
        ref = unit.new_trust_ref(
            trustor_user_id=self.user['id'],
            trustee_user_id=trustee['id'],
            project_id=self.project['id'],
            role_ids=[self.role_list[0]['id']])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = r.result['trust']

        # Only the role that was specified is in the trust, NOT implies roles
        self.assertEqual(self.role_list[0]['id'], trust['roles'][0]['id'])
        self.assertThat(trust['roles'], matchers.HasLength(1))

        # Authenticate as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee['id'],
            password=trustee['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        token = r.result['token']

# This fails
self.assertThat(token['roles'], matchers.HasLength(3))

Revision history for this message

Adam Young (ayoung) wrote on 2016-02-08:

Issue is due to the trust api maintaining its own list of roles, which is then called from the auth/controller

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Steve Martinelli (stevemar) on 2016-02-09

Changed in keystone:
milestone:	none → mitaka-3
importance:	Undecided → Medium

Adam Young (ayoung) on 2016-02-13

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/279835

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-13: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/277319
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=98934a3e548f8abd8722b01493356fcc8586b1ba
Submitter: Jenkins
Branch: master

commit 98934a3e548f8abd8722b01493356fcc8586b1ba
Author: Steve Martinelli <email address hidden>
Date: Mon Feb 8 03:48:25 2016 -0500

add a test that uses trusts and implies roles

looks like implied roles are not expanded for tokens that were
created from trusts

    Change-Id: I76b94faf094721c254caa6f9d7289d084c957d80
    Closes-Bug: 1539240
    Related-Bug: 1543318

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-15: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/279835
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=790b8c22bea9336abe2ce301fda5962021974ded
Submitter: Jenkins
Branch: master

commit 790b8c22bea9336abe2ce301fda5962021974ded
Author: Adam Young <email address hidden>
Date: Fri Feb 12 18:16:05 2016 -0500

Expand implied roles in trust tokens

Closes-Bug: 1543318

Change-Id: Iadcedaec184c7ca14ecd6ad5035265a310e2d5d2

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-03-03: Fix included in openstack/keystone 9.0.0.0b3

This issue was fixed in the openstack/keystone 9.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.