OpenStack Identity (keystone)

Cleaning up user/group assignments makes incorrect assumption that user_id != group_id

Bug #1440135 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Clenimar Filemon
OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

The methods delete_user_assignments() and delete_group_assignments() in the assignment backends removes all assignments for a user/group - although the code fails to set the type of assignment, and just uses actor_id. This is nearly always going to be fine, although technically one should also specify the type of the assignment in the delete (e.g. USER_PROJECT/USER_DOMAIN and USER_PROJECT/GROUP_PROJECT).

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
status: Triaged → New
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Henry, I'm not seeing these methods in the current code base. These are what I've found:

keystone/assignment/backends/ldap.py: def delete_project_assignments(self, project_id):
keystone/assignment/backends/ldap.py: def delete_role_assignments(self, role_id):
keystone/assignment/backends/sql.py: def delete_project_assignments(self, project_id):
keystone/assignment/backends/sql.py: def delete_role_assignments(self, role_id):
keystone/assignment/core.py: def delete_tokens_for_role_assignments(self, role_id):
keystone/assignment/core.py: def delete_project_assignments(self, project_id):
keystone/assignment/core.py: def delete_role_assignments(self, role_id):
keystone/assignment/core.py: self.assignment_api.delete_tokens_for_role_assignments(role_id)
keystone/assignment/core.py: self.assignment_api.delete_role_assignments(role_id)
keystone/resource/core.py: self.assignment_api.delete_project_assignments(tenant_id)

Revision history for this message
Henry Nash (henry-nash) wrote :

Ahh, sorry, yes - today in the code base they are (confusingly) called delete_user and delete_group (this is in the assignment backend). I have a separate bug logged to change these to delete_user_assignments and delete_group_assignments (see: https://bugs.launchpad.net/keystone/+bug/1438517)

Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Triaged
Revision history for this message
Steve Martinelli (stevemar) wrote :

unassigning due to inactivity

Changed in keystone:
assignee: Henry Nash (henry-nash) → nobody
milestone: next → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/275706

Clenimar Filemon (clenimar-filemon)
Changed in keystone:
assignee: nobody → Clenimar Filemon (clenimar-filemon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/282696

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/282696
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=809e5533ccdbffcc73ef9c6bda158e7f8386bb08
Submitter: Jenkins
Branch: master

commit 809e5533ccdbffcc73ef9c6bda158e7f8386bb08
Author: Clenimar Filemon <email address hidden>
Date: Sat Feb 20 12:47:24 2016 -0300

    Fix incorrect assumption when deleting assignments

    The methods delete_user_assignments() and delete_group_assignments()
    in the assignment backend remove all assignments for a user/group -
    although the code fails to set the type of assignment and just uses
    actor_id, making an assumption that user_id != group_id.

    This patch specifies the type of assignments in the delete (i.e
    USER_PROJECT/USER_DOMAIN or GROUP_PROJECT/GROUP_DOMAIN) to make sure
    no assignment will be mistakenly deleted.

    Change-Id: I246a61a291dd41490f49b7b26a04f93e69e61d7a
    Closes-Bug: #1440135

Changed in keystone:
status: In Progress → Fix Released
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-3
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b3

This issue was fixed in the openstack/keystone 9.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.