User roles are replaced by group roles in v3 tokens

Bug #1197874 reported by Henry Nash on 2013-07-04
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Critical
Henry Nash
Grizzly
Critical
Henry Nash

Bug Description

For v3 tokens, if there are any group roles for the required scope (e.g. domain or project), then ONLY these roles will be returned, at the expense of any non-group (i.e directly assigned) roles.

This is caused by incorrect coding in the driver calls of "get_roles_for_user_and_project()" and "get_roles_for_user_and_domain()" where a dict update method is used to try and add group roles into the user ones. Incredibly, despite lots of unit testing around this area, there isn't one that checks that both user and group roles are returned.

The v2 tokens are unaffected, since they don't call these functions, but rather add the group roles in manually.

The problem was discovered when implementing https://blueprints.launchpad.net/keystone/+spec/authenticate-role-rationalization which looked to handle all such role combination in one place. Since I suspect we will want to back-port this particular fix to stable/grizzly, I have broken this out as a separate patch.

Henry Nash (henry-nash) on 2013-07-04
description: updated
Henry Nash (henry-nash) wrote :

A further issue is that if you have multiple group roles on an entity, only the roles for one of the groups will be included (the same incorrect code will overwrite the roles for previous groups in the list being built for the token)

Changed in keystone:
importance: High → Critical

Fix proposed to branch: master
Review: https://review.openstack.org/35739

Changed in keystone:
status: New → In Progress
Henry Nash (henry-nash) on 2013-07-05
description: updated
Dolph Mathews (dolph) on 2013-07-05
tags: added: grizzly-backport-potential

Reviewed: https://review.openstack.org/35739
Committed: http://github.com/openstack/keystone/commit/22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1
Submitter: Jenkins
Branch: master

commit 22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1
Author: Henry Nash <email address hidden>
Date: Fri Jul 5 06:04:25 2013 +0100

    Fix issue with v3 tokens and group membership roles

    The driver calls used by v3 token controllers to obtain roles
    for a user on both project and domain were incorrectly implemented,
    leading to roles being missed out of the token. v2 tokens are not
    affected, since they don't use the same driver calls.

    This fixes these functions and adds additonal tests to cover the
    cases (all of which would fail without this patch). As part of this
    fix, the implementation of "get_roles_for_user_and_project() is
    pulled up into the driver class (like the domain equivalent is already),
    since, for all implementations, it is independant of backend technology.

    Fixes bug 1197874

    Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/38484
Committed: http://github.com/openstack/keystone/commit/27a5b42dbbdcb1f10138542cfa2fc5584470bace
Submitter: Jenkins
Branch: stable/grizzly

commit 27a5b42dbbdcb1f10138542cfa2fc5584470bace
Author: Henry Nash <email address hidden>
Date: Fri Jul 5 06:04:25 2013 +0100

    Fix issue with v3 tokens and group membership roles

    The driver calls used by v3 token controllers to obtain roles
    for a user on both project and domain were incorrectly implemented,
    leading to roles being missed out of the token. v2 tokens are not
    affected, since they don't use the same driver calls.

    This fixes these functions and adds additonal tests to cover the
    cases (all of which would fail without this patch). As part of this
    fix, the implementation of "get_roles_for_user_and_project() is
    pulled up into the driver class (like the domain equivalent is already),
    since, for all implementations, it is independant of backend technology.

    Fixes bug 1197874

    Change-Id: I48aaf79241c87377c6940ab6193fc3acd4006c94

Alan Pevec (apevec) on 2013-08-05
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers