OpenStack Identity (keystone)

Role names should be globally unique and required

Bug #932258 reported by Anthony Young on 2012-02-14

30

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Dolph Mathews	OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

Steps to reproduce:

$ keystone --debug --username admin --password secrete --tenant_name admin --auth-url http://127.0.0.1:5000/v2.0/ role-create --name=this
$ keystone --debug --username admin --password secrete --tenant_name admin --auth-url http://127.0.0.1:5000/v2.0/ role-create --name=this

Expected:

Second command should fail

Actual:

Both succeed.

A related issue is that the following yields a role with no name:

$ keystone --debug --username admin --password secrete --tenant_name admin --auth-url http://127.0.0.1:5000/v2.0/ role-create

Tags:

Joseph Heck (heckj) on 2012-02-17

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Dean Troyer (dtroyer) wrote on 2012-02-23:

#1

The required --name is fixed in https://review.openstack.org/4375

Joseph Heck (heckj) on 2012-03-02

Changed in keystone:
status:	New → Fix Committed

Revision history for this message

Chris Fattarsi (chris-fattarsi) wrote on 2012-03-08:

#2

It looks like this patch only enforces role name constraints on the keystone client. Is there any enforcement on the server-side as well, where it is probably most important?

Seems like could be a serious vulnerability if people were using role names to key off of.

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-03-08:

#3

I'm still able to reproduce the original issue on master (although the syntax for --auth-url has since changed to --auth_url).

Changed in keystone:
status:	Fix Committed → Confirmed

Revision history for this message

justinsb (justin-fathomdb) wrote on 2012-03-16:

#4

I believe this bug is still present, and I think it might well be a release-blocker. Even if we are using keystone now in such a way that we side-step any issues, I think having garbage data in the database will cause serious problems later as the code evolves.

root@privatecloud1:/home/justinsb/openstack-simple-config# keystone role-list
+----------------------------------+----------------------+
| id | name |
+----------------------------------+----------------------+
| 13caa3845c254fc9ade0bdc9b1d6f29a | admin |
| 6cda98de42d34aada583ac71b29eae65 | KeystoneAdmin |
| afe1cd7b0fac469488af1f29b9a3b9ea | KeystoneServiceAdmin |
| bf05b6fe85a041af8d45eac27432b6db | KeystoneServiceAdmin |
| f573295fedc4486b8aa4dda64cb35526 | KeystoneAdmin |
+----------------------------------+----------------------+

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-03-17:

#5

Promoting priority, as I agree with Justin.

Changed in keystone:
importance:	Medium → High
milestone:	none → essex-rc1

yong sheng gong (gongysh) on 2012-03-18

Changed in keystone:
assignee:	nobody → yong sheng gong (gongysh)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-18: Fix proposed to keystone (master)

#6

Fix proposed to branch: master
Review: https://review.openstack.org/5485

Changed in keystone:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2012-03-20

Changed in keystone:
assignee:	yong sheng gong (gongysh) → Dolph Mathews (dolph)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix merged to keystone (master)

#7

Reviewed: https://review.openstack.org/5485
Committed: http://github.com/openstack/keystone/commit/d61aedaf868d984f1c317a73b362a2e7a366ef89
Submitter: Jenkins
Branch: master

commit d61aedaf868d984f1c317a73b362a2e7a366ef89
Author: Yong Sheng Gong <email address hidden>
Date: Sun Mar 18 23:56:35 2012 +0800

unique role name constraint

      For SQL identity backend, add unique constraint with column definition;
    for kvs and ldap backend, use python code to apply this constraint.
    Test cases test_create_duplicate_role_name_fails and test_rename_duplicate_role_name_fails are added to guard it.
    python run_tests.py test_backend_ldap test_backend_kvs test_backend_sql pass.

Change-Id: I990f17a270e84d35c078f215c587a81d6784c192

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-03-23

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in keystone:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.