2013-10-22 00:42:24 |
Brant Knudson |
description |
Using the LDAP assignment backend, if remove a role from a user that the user doesn't have then the user gets the role.
To recreate
0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND):
In localrc,
enable_service ldap
KEYSTONE_IDENTITY_BACKEND=ldap
KEYSTONE_ASSIGNMENT_BACKEND=ldap
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 3b71182dc36e45c6be4733d508201694 |
| name | blktest1 |
+----------+----------------------------------+
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)
- Strangely says user not found rather than role not assigned. |
Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before.
To recreate
0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND):
In localrc,
enable_service ldap
KEYSTONE_IDENTITY_BACKEND=ldap
KEYSTONE_ASSIGNMENT_BACKEND=ldap
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 3b71182dc36e45c6be4733d508201694 |
| name | blktest1 |
+----------+----------------------------------+
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)
- Strangely says user not found rather than role not assigned. |
|