OpenStack Identity (keystone)

Application credentials with a deleted role are unusable

Bug #2053137 reported by Boris Bobrov on 2024-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Unassigned

Bug Description

Steps to reproduce:

1. Create role R
2. Create an application credential with role R in it
3. Delete role R
4. Try to list the application credentials

Observed: list fails with 404: Role Not Found
Expected: not sure

I see the following potential behaviors:
1. The role can be removed from the application credential when the role is deleted, leaving the application credential intact; however, the application credential might remain without roles, and i am not sure what it means;
2. The application credential could be immediately deleted when a role is deleted, because it references an invalid role;
3. The non-existing role can stay with the application credential in the database and can simply be ignored when processing the application credential internally

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2024-02-14:

We actually have a test for that: https://opendev.org/openstack/keystone/src/commit/7dc175a41f92e3f01cf26912431d0f2c98a03b32/keystone/tests/unit/test_v3_auth.py#L5807
But i think the test is wrong and should return 401 instead of 404.

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2024-02-14:

We even have code for the removal! https://opendev.org/openstack/keystone/src/commit/7dc175a41f92e3f01cf26912431d0f2c98a03b32/keystone/assignment/core.py#L97 but it does not seem to work...

OpenStack Infra (hudson-openstack) on 2024-02-15

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-12: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/908998
Committed: https://opendev.org/openstack/keystone/commit/63556be0e3b995a2a232a0b180c932a97736350e
Submitter: "Zuul (22348)"
Branch: master

commit 63556be0e3b995a2a232a0b180c932a97736350e
Author: Boris Bobrov <email address hidden>
Date: Wed Feb 14 16:11:41 2024 +0100

Fix operation order in role deletion

    Deletion of a role leads to deletion of role assignments and entries in
    the application credentials. However, deletion of the entries in
    application credentials depends on the existence of the assignment, so
    the order of deletion is important.

Delete the entries from application credentials first and then clean up
role assignment.

Closes-Bug: 2053137
Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-19: Fix included in openstack/keystone 25.0.0.0rc1

This issue was fixed in the openstack/keystone 25.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.