OpenStack Identity (keystone)

Bug #1242855
Activity log

Activity log for bug #1242855

Date	Who	What changed	Old value	New value	Message
2013-10-21 19:17:53	Brant Knudson	bug			added bug
2013-10-21 19:17:59	Brant Knudson	keystone: assignee		Brant Knudson (blk-u)
2013-10-21 20:35:13	OpenStack Infra	keystone: status	New	In Progress
2013-10-21 20:38:21	Brant Knudson	tags		havana-backport-potential
2013-10-22 00:42:24	Brant Knudson	description	Using the LDAP assignment backend, if remove a role from a user that the user doesn't have then the user gets the role. To recreate 0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND): In localrc, enable_service ldap KEYSTONE_IDENTITY_BACKEND=ldap KEYSTONE_ASSIGNMENT_BACKEND=ldap 1) set up environment with OS_USERNAME=admin export OS_USERNAME=admin ... 2) Create a new user, give admin role, list roles: $ keystone user-create --name blktest1 --pass blkpwd +----------+----------------------------------+ \| Property \| Value \| +----------+----------------------------------+ \| email \| \| \| enabled \| True \| \| id \| 3b71182dc36e45c6be4733d508201694 \| \| name \| blktest1 \| +----------+----------------------------------+ $ keystone user-role-add --user blktest1 --role admin --tenant service (no output) $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------+----------------------------------+----------------------------------+ 3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up): $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service - Expected to fail with 404, but it doesn't! 4) List roles as that user: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| \| afe23e7955704ccfad803b4a104b28a7 \| anotherrole \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------------+----------------------------------+----------------------------------+ - Expected to not include the role that was just removed! 5) Remove the role again: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service - No errors, which I guess is expected since list just said they had the role... 6) List roles, and now it's gone: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------+----------------------------------+----------------------------------+ 7) Remove role again: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404) - Strangely says user not found rather than role not assigned.	Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before. To recreate 0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND): In localrc, enable_service ldap KEYSTONE_IDENTITY_BACKEND=ldap KEYSTONE_ASSIGNMENT_BACKEND=ldap 1) set up environment with OS_USERNAME=admin export OS_USERNAME=admin ... 2) Create a new user, give admin role, list roles: $ keystone user-create --name blktest1 --pass blkpwd +----------+----------------------------------+ \| Property \| Value \| +----------+----------------------------------+ \| email \| \| \| enabled \| True \| \| id \| 3b71182dc36e45c6be4733d508201694 \| \| name \| blktest1 \| +----------+----------------------------------+ $ keystone user-role-add --user blktest1 --role admin --tenant service (no output) $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------+----------------------------------+----------------------------------+ 3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up): $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service - Expected to fail with 404, but it doesn't! 4) List roles as that user: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| \| afe23e7955704ccfad803b4a104b28a7 \| anotherrole \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------------+----------------------------------+----------------------------------+ - Expected to not include the role that was just removed! 5) Remove the role again: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service - No errors, which I guess is expected since list just said they had the role... 6) List roles, and now it's gone: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+-------+----------------------------------+----------------------------------+ \| 1c39fab0fa9a4a68b307e7ce1535c62b \| admin \| 3b71182dc36e45c6be4733d508201694 \| 5b0af1d5013746b286b0d650da73be57 \| +----------------------------------+-------+----------------------------------+----------------------------------+ 7) Remove role again: $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404) - Strangely says user not found rather than role not assigned.
2013-10-22 00:53:43	Dolph Mathews	keystone: importance	Undecided	Critical
2013-10-22 12:23:21	Dolph Mathews	information type	Public	Public Security
2013-10-22 12:28:15	OpenStack Infra	keystone: assignee	Brant Knudson (blk-u)	Dolph Mathews (dolph)
2013-10-22 12:28:20	Thierry Carrez	bug task added		ossa
2013-10-22 12:28:25	Thierry Carrez	ossa: status	New	Incomplete
2013-10-22 15:17:48	OpenStack Infra	keystone: status	In Progress	Fix Committed
2013-10-22 15:53:23	Brant Knudson	keystone: assignee	Dolph Mathews (dolph)	Brant Knudson (blk-u)
2013-10-22 15:54:16	Brant Knudson	tags	havana-backport-potential	grizzly-backport-potential havana-backport-potential
2013-10-22 19:47:44	Dolph Mathews	nominated for series		keystone/havana
2013-10-22 19:47:44	Dolph Mathews	bug task added		keystone/havana
2013-10-22 19:48:00	Dolph Mathews	tags	grizzly-backport-potential havana-backport-potential
2013-10-23 00:47:09	Dolph Mathews	nominated for series		keystone/grizzly
2013-10-23 00:47:09	Dolph Mathews	bug task added		keystone/grizzly
2013-10-23 00:50:14	Dolph Mathews	keystone/havana: status	New	In Progress
2013-10-23 00:50:16	Dolph Mathews	keystone/grizzly: status	New	In Progress
2013-10-23 00:50:17	Dolph Mathews	keystone/grizzly: importance	Undecided	Critical
2013-10-23 00:50:19	Dolph Mathews	keystone/havana: importance	Undecided	Critical
2013-10-23 00:50:26	Dolph Mathews	keystone/grizzly: assignee		Brant Knudson (blk-u)
2013-10-23 00:50:31	Dolph Mathews	keystone/havana: assignee		Brant Knudson (blk-u)
2013-10-24 14:43:38	Thierry Carrez	ossa: importance	Undecided	High
2013-10-24 14:43:38	Thierry Carrez	ossa: status	Incomplete	Confirmed
2013-10-24 15:48:39	Thierry Carrez	ossa: status	Confirmed	Triaged
2013-10-24 15:48:39	Thierry Carrez	ossa: assignee		Thierry Carrez (ttx)
2013-10-29 10:41:16	Thierry Carrez	ossa: status	Triaged	In Progress
2013-10-29 11:12:36	OpenStack Infra	keystone/grizzly: status	In Progress	Fix Committed
2013-10-29 11:13:05	OpenStack Infra	keystone/havana: status	In Progress	Fix Committed
2013-10-29 16:29:59	Thierry Carrez	cve linked		2013-4477
2013-10-30 16:36:40	Thierry Carrez	ossa: status	In Progress	Fix Released
2013-10-30 16:37:08	Thierry Carrez	summary	Removing role adds role with LDAP backend	[OSSA 2013-028] Removing role adds role with LDAP backend
2013-12-04 09:28:47	Thierry Carrez	keystone: status	Fix Committed	Fix Released
2013-12-04 09:28:47	Thierry Carrez	keystone: milestone		icehouse-1
2013-12-08 11:50:38	Alan Pevec	keystone/havana: milestone		2013.2.1
2013-12-16 22:45:28	Alan Pevec	keystone/havana: status	Fix Committed	Fix Released
2014-03-20 20:03:43	Alan Pevec	keystone/grizzly: milestone		2013.1.5
2014-03-20 22:12:14	Alan Pevec	keystone/grizzly: status	Fix Committed	Fix Released
2014-04-17 07:56:34	Thierry Carrez	keystone: milestone	icehouse-1	2014.1