OpenStack Identity (keystone)

oauth1 - consumer specifies roles instead of delegator

Bug #1216408 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Steve Martinelli
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

From the mailing list [1]:

> How does the delegate know which role to request? This is unintuitive. A delegator (rather than delegate) knows the role he wants to delegate. One would normally expect the delegator to request Keystone to delegate this role to the named delegate, rather than the delegate asking for a role to be delegated to it, since it requires an out of band communications between the delegator and delegate to take place before the delegation, in which the delegator tells the delegate its un/pw and the role it should ask for. This seems to be a rather contrived exchange of messages.

This design fault is present in both the spec and the current implementation.

[1]: http://lists.openstack.org/pipermail/openstack-dev/2013-June/010402.html

Revision history for this message
Steve Martinelli (stevemar) wrote :

But we keep the consumer requesting the project id?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/43610

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

Proposed API change: https://review.openstack.org/#/c/43611/

Revision history for this message
Dolph Mathews (dolph) wrote :

@Steve: yes

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/44504

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/43610
Committed: http://github.com/openstack/keystone/commit/3b43bca897e507f3db34c14047d48182761a4014
Submitter: Jenkins
Branch: master

commit 3b43bca897e507f3db34c14047d48182761a4014
Author: Steve Martinelli <email address hidden>
Date: Sat Aug 24 23:49:16 2013 -0500

    OAuth authorizing user should propose roles to delegate

    Currently in the oauth1 extension the consumer specifies roles
    instead of delegator. This is a design fault that should be fixed
    by having the authorizing user provide a set of roles (ids)
    during the authorize request token phase.

    fixes bug: #1216408

    Change-Id: I13e155cf04dd478d575c8d66216d0fde08875ba2

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.