Removing a user from a project would result to all members of that project to be removed

Bug #1170649 reported by Philip Mark M. Deazeta on 2013-04-19
56
This bug affects 11 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Critical
Dolph Mathews
Grizzly
Critical
Dolph Mathews

Bug Description

Given a project with multiple users with a role in that project. Then I choose 1 user from that project, and then I remove ALL roles of that user from the project. This action kicks out all the users from that project.

Based on mysql logs. Removing the role of the user executes this command:
DELETE FROM user_project_metadata WHERE user_project_metadata.project_id = '430713609fad4216a3b72cf080eba006';

Patch for this bug:

--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -435,6 +435,7 @@ class Identity(sql.Base, identity.Driver):
                 session = self.get_session()
                 q = session.query(UserProjectGrant)
                 q = q.filter_by(project_id=tenant_id)
+               q = q.filter_by(user_id=user_id)
                 q.delete()

description: updated
Adam Young (ayoung) on 2013-04-26
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Olman (olmangarcia) wrote :

This should be fixed with high priority. After removing an user from its only role it leads to revoke grants to all other users so they can not access the project anymore. Additionally the fix is pretty easy.

Aimon Bustardo (aimonb) wrote :

I agree with Olman. Also, I do not see a risk to adding this much needed fix.

Dolph Mathews (dolph) on 2013-05-23
Changed in keystone:
importance: Undecided → High
Changed in keystone:
assignee: Adam Young (ayoung) → Ashutosh Tomar (tomars-ashutosh)

The sql query is modified .. in addition to project_id it shall also match user_id before removing the role of a user now.... I shall be submitting the fix for review later today after some more testing... Cheers.. Ashutosh

DELETE FROM user_project_metadata WHERE user_project_metadata.project_id = %s AND user_project_metadata.user_id = %s

Changed in keystone:
status: New → Confirmed
Brian Waldon (bcwaldon) on 2013-06-01
Changed in keystone:
importance: High → Critical
Changed in keystone:
milestone: none → havana-2
Gabriel Hurley (gabriel-hurley) wrote :

This needs to be fixed ASAP and should be backported to stable/grizzly. You can completely lock yourself out of your cloud by removing a user from a project with your admins in it. That's a serious problem.

tags: added: grizzly-backport-potential

Fix proposed to branch: master
Review: https://review.openstack.org/31552

Changed in keystone:
assignee: Ashutosh Tomar (tomars-ashutosh) → Dolph Mathews (dolph)
status: Confirmed → In Progress
Dolph Mathews (dolph) wrote :

Ashutosh: I went ahead and proposed a patch for this. If you have additional tests to contribute, please do so!

Reviewed: https://review.openstack.org/31552
Committed: http://github.com/openstack/keystone/commit/3d5b6ddce97c53fdafba1f51159e8243723a026f
Submitter: Jenkins
Branch: master

commit 3d5b6ddce97c53fdafba1f51159e8243723a026f
Author: Dolph Mathews <email address hidden>
Date: Mon Jun 3 14:46:53 2013 -0500

    remove_role_from_user_and_project affecting all users (bug 1170649)

    Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/31705
Committed: http://github.com/openstack/keystone/commit/81a4d386bc1b8f9e32026506bd1ae134d3df643b
Submitter: Jenkins
Branch: stable/grizzly

commit 81a4d386bc1b8f9e32026506bd1ae134d3df643b
Author: Dolph Mathews <email address hidden>
Date: Mon Jun 3 14:46:53 2013 -0500

    remove_role_from_user_and_project affecting all users (bug 1170649)

    Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d

tags: removed: grizzly-backport-potential
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers