OpenStack Identity (keystone)

Keystone App Creds Access Rules don´t work

Bug #1999068 reported by simon stephan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
In Progress
Undecided
Pete Zaitcev

Bug Description

Hi,

we just tested Application Credentials with Access Rules. We tried to delegate a subset of the admin permissions to the application credentials for managing users, projects and domains. Unfortunately it seems that the Access Rules that we defined for "identity" were not working.

Example:
openstack application credential create test-appcred --role admin --access-rules '[{
        "method": "GET",
        "path": "/v3/domains",
        "service": "identity"
    }]'

With that access rule it was still allowed to create domains, users, projects, groups. For the other OpenStack Services no requests were possible, as expected.

Pete Zaitcev (zaitcev)
Changed in keystone:
assignee: nobody → Pete Zaitcev (zaitcev)
Revision history for this message
Pete Zaitcev (zaitcev) wrote :

I was able to reproduce the problem on the trunk (trunks for Keystone and Glance).

According to my tests, it is not important if the application credentials were created by an admin user or a regular user (with no admin role).

The result is, the access rules are ignored if they are applied to service "identity". But they work for other services as intended. The app creds work as intended otherwise, and setting _only_ OS_AUTH_TYPE=v3applicationcredential, OS_APPLICATION_CREDENTIAL_SECRET=yyyyy, OS_APPLICATION_CREDENTIAL_ID=zzzzzzzzzz is sufficient to authenticate with user's normal roles. Seems exactly as Simon reported.

BTW, Devstack does not configure service_type=xxxx in [keystone_authtoken] for any of its services, so it needs adding as documentation explains.

Isn't it the case that Keystone API does not have keystonemiddleware in its pipeline?

Revision history for this message
Pete Zaitcev (zaitcev) wrote :

I looked a little at the cause and I found the difference.

All other services just run keystonemiddleware normally, but Keystone uses a middleware known as "auth_context". It has a class AuthContextMiddleware that inherits from BaseAuthProtocol, provided by the auth_token module in keystonemiddleware. That class has its own process_request, which literally stubs all the exceptions and invokes the parent's process_request. But unfortunately, the process_request in keystonemiddleware expects to report errors by raising!

Look at

keystone/server/flask/request_processing/middleware/auth_context.py:
class AuthContextMiddleware(...., auth_token.BaseAuthProtocol):
@middleware_exceptions
def process_request(self, request):

and

keystonemiddleware/auth_token/__init__.py:
class BaseAuthProtocol(object):
def process_request(self, request):
def validate_allowed_request(self, request, token):

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/874346

Changed in keystone:
status: New → In Progress
Revision history for this message
Pete Zaitcev (zaitcev) wrote :

I'm going to change my mind about the root cause. It appears that we simply forgot to check if the authorization has set the flag request.user_token_valid, which keystonemiddleware checks in AuthProtocol.process_request(). I copied the missing chunk to AuthContextMiddleware.process_request() and it cleared the problem.

See WIP patch https://review.opendev.org/c/openstack/keystone/+/874346

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 24.0.0.0rc1

This issue was fixed in the openstack/keystone 24.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/keystone/+/901926

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/keystone/+/901927

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/keystone/+/902029

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/keystone/+/902030

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/keystone/+/902031

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/keystone/+/902032

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/902033

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/902034

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/train)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/902034
Reason: Train is about to transition to End of Life. Open patches needs to be abandoned before branch deletion.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/901926
Committed: https://opendev.org/openstack/keystone/commit/ea8c8aa982235240cf58bd561132aefe33439506
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit ea8c8aa982235240cf58bd561132aefe33439506
Author: Pete Zaitcev <email address hidden>
Date: Sat Feb 18 02:09:39 2023 -0600

    Don't forget to check if authorization fails

    The fix is to copy the missing check from class AuthProtocol
    of keystonemiddleware.

    Closes-bug: 1999068
    Change-Id: I4fd7bf6b194c38815c2a9cdbab92a07315397eab
    (cherry picked from commit 1544c7fc0aca9638c7cd31742e778d9327d2a62c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/yoga)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/keystone/+/902029
Reason: stable/yoga branch of openstack/keystone is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/yoga if you want to further work on this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/ussuri)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/902033
Reason: stable/ussuri branch of openstack/keystone transitioned to End of Life and is about to be deleted. To be able to do that, all open patches need to be abandoned.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/victoria)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/keystone/+/902032
Reason: stable/victoria branch of openstack/keystone is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/victoria if you want to further work on this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/wallaby)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/keystone/+/902031
Reason: stable/wallaby branch of openstack/keystone is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/wallaby if you want to further work on this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/xena)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/xena
Review: https://review.opendev.org/c/openstack/keystone/+/902030
Reason: stable/xena branch of openstack/keystone is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/xena if you want to further work on this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/zed)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/zed
Review: https://review.opendev.org/c/openstack/keystone/+/901927
Reason: stable/zed branch of openstack/keystone is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/zed if you want to further work on this patch.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.