OpenStack Identity (keystone)

assigning a domain-specific role in domain A for a user to a project in domain B should be prohibited

Bug #1590587 reported by Guang Yee
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Sean Perry
OpenStack Identity (keystone) newton-rc1 "RC1"

Bug Description

Domain-specific roles are visible in their owning domains only. Therefore, assigning a domain-specific role in a domain to users for a project in another domain should be prohibited.

To reproduce:

1. create a domain-specific "foo_domain_role" in the "foo" domain.
2. create a project "bar_project" in "bar" domain.
3. create a user "bar_user" in "bar" domain.
4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201.

Revision history for this message
Henry Nash (henry-nash) wrote :

Is this using policy.json or policy.v3cloudsample.json? And is the assignment done with http, or osc?

Revision history for this message
Guang Yee (guang-yee) wrote :

This is using vanilla devstack and policy.json. Assignment was done via "openstack role add".

Revision history for this message
Dolph Mathews (dolph) wrote :

I agree with the assertion in the bug. I would think that this would return a 4xx error (not sure I agree with a 403, but...) for both of the following reasons:

1. A domain-specific role should not be assignable to users owned by another domain.

2. A domain-specific role should not be assignable to projects owned by another domain.

It appears that neither one of these are being checked? Is there a use case to not check against one of these?

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Summer (chengkun)
Changed in keystone:
assignee: nobody → yechengkun (chengkun)
Summer (chengkun)
Changed in keystone:
assignee: yechengkun (chengkun) → nobody
Sean Perry (sean-perry-a)
Changed in keystone:
assignee: nobody → Sean Perry (sean-perry-a)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/365177

Changed in keystone:
status: Triaged → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/365177
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=73bdbe1f87ac3571bb5a348158ad1e4ece73fbcc
Submitter: Jenkins
Branch: master

commit 73bdbe1f87ac3571bb5a348158ad1e4ece73fbcc
Author: Sean Perry <email address hidden>
Date: Fri Sep 2 16:48:54 2016 -0700

    Project domain must match role domain for assignment

    When assigning a Domain specific role to a user it is OK if the user
    is from a different domain, but the project's domain must match the
    role's domain.

    Closes-Bug: 1590587
    Change-Id: I1d63415de0130794939998c3e142ebdce9ddf39d

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 10.0.0.0rc1

This issue was fixed in the openstack/keystone 10.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.