Application credentials can't be used with group-only role assignments

Bug #1773967 reported by Colleen Murphy on 2018-05-29
74
This bug affects 12 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Jose Castro Leon
Ubuntu Cloud Archive
Undecided
Unassigned
keystone (Ubuntu)
Undecided
Unassigned

Bug Description

If a user only has a role assignment on a project via a group membership, the user can create an application credential for the project but it cannot be used. If someone tries to use it, the debug logs will report:

 User <uuid> has no access to project <uuid>

We need to ensure that any application credential that is created can be used so long as it is not expired and the user exists and has access to the project they created the application credential for. If we decide that application credentials should not be valid for users who have no explicit role assignments on projects, then we should prevent it from being created and provide a useful message to the user.

This is probably related to https://bugs.launchpad.net/keystone/+bug/1589993

Changed in keystone:
status: New → Confirmed
importance: Undecided → High
Rajat Sharma (tajar29) on 2018-06-07
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Adam Young (ayoung) wrote :

Look at the trust code, as it solves this problem. Trusts and App Creds should use common code.

Changed in keystone:
assignee: Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal)
Edward Konetzko (konetzed) wrote :

Any update on this? I just ran into this issue and spent some time in IRC debugging with lbragstad I am willing to take a hacky patch I can apply to keystone 14 release. I am using Centos 7 with Openstack Rocky installed.

Thanks

Hi Edward,

I haven't started working over it. Pl feel free to assign this to yourself and push patch for it.

Thanks.

Colleen Murphy (krinkle) wrote :

Relatedly, application credentials don't work with implied roles. Since we now have the "member" role by default imply the "reader" role, the "reader" role appears in the token body and the user is allowed to create an application credential with it, but since it is not part of the role assignments table, the application credential can't then be used with just the "reader" role.

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Jose Castro Leon (jose-castro-leon)
status: Confirmed → In Progress
Dmitrii Shcherbakov (dmitriis) wrote :

Encountered the same with a federation use-case. A user doesn't have direct role assignments for a project and the user is also not present in a group (in the keystone db) that has a role assignment on the project. However, the federated domain-scoped token and a project-scoped token created based on the federated one both have group membership information present => the user has the Member role on the project.

Trying to create an application credential (from Horizon) results in the following logged at the Keystone side:

(keystone.policy.backends.rules): 2019-05-14 09:01:42,703 DEBUG enforce identity:create_application_credential: {'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_id': None, 'domain_name': None, 'group_ids': ['a82a32cc8c8540afb47d0f568d035e91'], 'token': <TokenModel (audit_id=EhAR7yT8Q4-W1TURPGeXrg, audit_chain_id=['EhAR7yT8Q4-W1TURPGeXrg']) at 0x7f5b466ce550>, 'user_id': '7c2cd54542714c82a0854d4b159deaf2', 'user_domain_id': 'Federated', 'system_scope': None, 'project_id': '07d0c2ef8af340a9b2e07d2f82d5a65a', 'project_domain_id': '4787f8cd807f4d67bf5bf70b84fd3dc2', 'roles': ['Member'], 'is_admin_project': False, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []}

(keystone.common.wsgi): 2019-05-14 09:01:33,026 WARNING Invalid application credential: Could not find role assignment with role: f82ad8932d8f4f69ab4199aee3b4b736, user or group: 7c2cd54542714c82a0854d4b159deaf2, project, domain, or system: 07d0c2ef8af340a9b2e07d2f82d5a65a.

f82ad8932d8f4f69ab4199aee3b4b736 - Member role (global, domain == None)
7c2cd54542714c82a0854d4b159deaf2 - a shadow-mapped (federated) user
07d0c2ef8af340a9b2e07d2f82d5a65a - the target project.

Dmitrii Shcherbakov (dmitriis) wrote :

I filed a separate issue for what was described in #5 because the original bug description says that an application credential can be created, whereas in #5 it cannot be created and the failure happens before the application credential is persisted into the Keystone db.

https://bugs.launchpad.net/keystone/+bug/1832092

Fix proposed to branch: master
Review: https://review.opendev.org/669886

Changed in keystone:
assignee: Jose Castro Leon (jose-castro-leon) → Gauvain Pocentek (gpocentek)

Change abandoned by Gauvain Pocentek (<email address hidden>) on branch: master
Review: https://review.opendev.org/669886

Changed in keystone:
assignee: Gauvain Pocentek (gpocentek) → nobody
Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)

Reviewed: https://review.opendev.org/655166
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=14b25bc5d18842210cfffe1afdca475e848b84aa
Submitter: Zuul
Branch: master

commit 14b25bc5d18842210cfffe1afdca475e848b84aa
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle) on 2019-08-09
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Jose Castro Leon (jose-castro-leon)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in keystone (Ubuntu):
status: New → Confirmed

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Reviewed: https://review.opendev.org/676200
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=933ea511d150ed2cbbd4265fc7513a9b3435baa2
Submitter: Zuul
Branch: stable/stein

commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)

tags: added: in-stable-stein

Reviewed: https://review.opendev.org/689575
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf83fc10569e7b52eeb52c0e164dfe36daeec309
Submitter: Zuul
Branch: stable/rocky

commit cf83fc10569e7b52eeb52c0e164dfe36daeec309
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
    (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)

tags: added: in-stable-rocky

Reviewed: https://review.opendev.org/694096
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=578be15629a84d1edcfda546a93b7ccbb6959720
Submitter: Zuul
Branch: stable/queens

commit 578be15629a84d1edcfda546a93b7ccbb6959720
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Conflicts:
        This change conflicts with newer branches because most of the
        logic in keystone/token/providers/common.py was refactored into
        keystone/models/token_model.py during the Rocky release. This
        refactor causes the stable/queens version to diverge from
        stable/rocky, stable/stein, and stable/train patches, although it
        is functionally equivalent to the approach used in later releases.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
    (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)
    (cherry picked from commit cf83fc10569e7b52eeb52c0e164dfe36daeec309)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers