OpenStack Identity (keystone)

/v3/groups?name=<name> bypasses group_filter for LDAP

Bug #1588927 reported by Matthew Edmonds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Matthew Edmonds
OpenStack Identity (keystone) newton-2 "n2"
Mitaka
Fix Released
Medium
Matthew Edmonds

Bug Description

The same problem reported and fixed for users as https://bugs.launchpad.net/keystone/+bug/1577804 also exists for groups.

Matthew Edmonds (edmondsw)
tags: added: mitaka-backport-potential
Matthew Edmonds (edmondsw)
Changed in keystone:
assignee: nobody → Matthew Edmonds (edmondsw)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/325939

Changed in keystone:
status: New → In Progress
Samuel de Medeiros Queiroz (samueldmq)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/325939
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c
Submitter: Jenkins
Branch: master

commit 1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c
Author: Matthew Edmonds <email address hidden>
Date: Fri Jun 3 14:54:54 2016 -0400

    Honor ldap_filter on filtered group list

    Fix GET /v3/groups?name=<name> to honor conf.ldap.group_filter.

    The case where groups are listed for a specific user was already
    honoring the filter, but the case where all groups are listed was not.
    Moved the check into the get_all_filtered method that is shared by both
    cases so that it is not duplicated.

    Change-Id: I4a11394de2e6414ba936e01bcf2fcc523bab8ba5
    Closes-Bug: #1588927

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/327703

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/327703
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0a5740a96d237feabc835c7e6c097df19aea0919
Submitter: Jenkins
Branch: stable/mitaka

commit 0a5740a96d237feabc835c7e6c097df19aea0919
Author: Matthew Edmonds <email address hidden>
Date: Fri Jun 3 14:54:54 2016 -0400

    Honor ldap_filter on filtered group list

    Fix GET /v3/groups?name=<name> to honor conf.ldap.group_filter.

    The case where groups are listed for a specific user was already
    honoring the filter, but the case where all groups are listed was not.
    Moved the check into the get_all_filtered method that is shared by both
    cases so that it is not duplicated.

    Change-Id: I4a11394de2e6414ba936e01bcf2fcc523bab8ba5
    Closes-Bug: #1588927
    (cherry picked from commit 1c0e59dc9c0cd8bb4fd54f26d01986a53bcd148c)

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 9.1.0

This issue was fixed in the openstack/keystone 9.1.0 release.

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-2
Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/keystone 10.0.0.0b2

This issue was fixed in the openstack/keystone 10.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.