OpenStack Identity (keystone)

Self-service policies for credential APIs are broken in stable/rocky

Bug #1815539 reported by Guang Yee on 2019-02-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Guang Yee
	Rocky	Fix Released	High	Guang Yee

Bug Description

Service-service policies for credential APIs are broken in stable/rocky. More specifically, Get/Update/Delete no longer works with the following policies.

"identity:get_credential": "rule:admin_required or user_id:%(target.credential.user_id)s"
"identity:update_credential": "rule:admin_required or user_id:%(target.credential.user_id)s"
"identity:delete_credential": "rule:admin_required or user_id:%(target.credential.user_id)s"

This used to work in Pike and Queens because we pass the entity to policy enforcement via get_member_from_driver.

https://github.com/openstack/keystone/blob/stable/queens/keystone/credential/controllers.py#L36

However, in stable/rocky we no longer pass the entity as part of the target.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/api/credentials.py#L86

Therefore, any policy rule which has target.credential.* no longer works.

Stein seems to be working again as the problem was fixed as part of https://bugs.launchpad.net/keystone/+bug/1788415.

We'll need to fix stable/rocky by conveying the credential entity to the target again.

Tags:

Colleen Murphy (krinkle) on 2019-02-15

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-16: Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/637341

Lance Bragstad (lbragstad) on 2019-02-17

summary:

- Self-service policies for credential APIs are boken in stable/rocky
+ Self-service policies for credential APIs are broken in stable/rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-21: Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/637341
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4420b78c0151783b5e1acb0cfc060eb35713d0ae
Submitter: Zuul
Branch: stable/rocky

commit 4420b78c0151783b5e1acb0cfc060eb35713d0ae
Author: Guang Yee <email address hidden>
Date: Fri Feb 15 17:14:18 2019 -0800

fix self-service credential APIs

    Self-service credential APIs are broken in stable/rocky because
    it no longer building the target attributes with the entity
    data. Therefore, only "admin" can perform credential optionations.
    The lack of self-service capability limits the usefulness of
    these APIs. Arguably this is break backward compatibility as
    self-service used to work in stable/queens and older releases.
    Though we've never built the properly tests to guard this
    functionality.

    This patch re-enables self-service capability by conveying the
    entity data via the target attributes. It also build the proper
    tests for it.

Change-Id: Ic7dddc4d2fe7b6c6ae3bf6aed6c4c048743b3eed
Closes-Bug: 1815539

tags:

added: in-stable-rocky

Colleen Murphy (krinkle) on 2019-02-21

Changed in keystone:
status:	Triaged → Fix Committed
assignee:	nobody → Guang Yee (guang-yee)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-04: Fix included in openstack/keystone 14.1.0

This issue was fixed in the openstack/keystone 14.1.0 release.

David Wilde (dave-wilde) on 2022-12-16

Changed in keystone:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.