Trust creation allowed with empty roles list

Bug #1214064 reported by Steven Hardy on 2013-08-19
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
wanghong

Bug Description

The docs state ""A project_id may not be specified without at least one role,
and vice versa.", however /OS-TRUST/trusts *does* allow you to create a trust
with an empty roles list and project_id specified.

This results in 401 responses whenever you try to consume the trust, which is
not exactly obvious until you realize what's happening..

It seems odd to allow creation of a trust which is seemingly useless and can
never be consumed, so I guess either the code or the docs need updating?

Adam Young (ayoung) on 2013-08-20
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Dolph Mathews (dolph) on 2013-08-26
Changed in keystone:
importance: Undecided → High
status: New → Triaged
milestone: none → havana-3
tags: added: grizzly-backport-potential
Changed in keystone:
importance: High → Medium
Dolph Mathews (dolph) on 2013-09-03
Changed in keystone:
milestone: havana-3 → none
wanghong (w-wanghong) wrote :

Hi Adam, are you working on this now? Can I assign this to me?

Dolph Mathews (dolph) on 2014-01-16
Changed in keystone:
assignee: Adam Young (ayoung) → nobody
assignee: nobody → wanghong (w-wanghong)

Fix proposed to branch: master
Review: https://review.openstack.org/69162

Changed in keystone:
status: Triaged → In Progress
Dolph Mathews (dolph) on 2014-03-18
tags: added: havana-backport-potential
removed: grizzly-backport-potential

Reviewed: https://review.openstack.org/69162
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0aff9ff3af4a6bc0b3d6128ae35231d1b18d543b
Submitter: Jenkins
Branch: master

commit 0aff9ff3af4a6bc0b3d6128ae35231d1b18d543b
Author: wanghong <email address hidden>
Date: Sun Jan 26 11:14:46 2014 +0800

    trust creation allowed with empty roles list

    The docs state "A project_id may not be specified without at least
    one role, and vice versa.", however /OS-TRUST/trusts does allow you
    to create a trust with an empty roles list and project_id specified.

    This results in 401 responses whenever you try to consume the trust,
    because there are no roles for the trustee on the authorized project.

    This patch will add a check in trust creation to ensure at least one
    role exists if project_id is supplied.

    Change-Id: Iebad0b6b7ed62a029d1e50afb003679bafb1655d
    Closes-Bug: #1214064

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-03-26
Changed in keystone:
milestone: none → icehouse-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers