global role should not be able to imply domain-specific role

Bug #1590578 reported by Guang Yee on 2016-06-08
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Mikhail Nikolaenko

Bug Description

Global roles should only be able to imply other global roles, it should not be able to imply domain-specific roles. Domain-specific role visibility should be limited to its owning domain only.

To reproduce:

1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a global role "foo_admin".
3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id>
4. list imply roles for "foo_admin" and you'll see the imply relationship

vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool
{
    "role_inference": {
        "implies": [
            {
                "id": "306b6d6f97084df983a6f2fa30cf1163",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
                },
                "name": "foo_domain_role"
            },
            {
                "id": "c256b7047f514515b3138d9efb594b21",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21"
                },
                "name": "bar_admin"
            }
        ],
        "prior_role": {
            "id": "45038d5e628b44c1857f33e839b06c77",
            "links": {
                "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77"
            },
            "name": "foo_admin"
        }
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool
{
    "role": {
        "domain_id": null,
        "id": "45038d5e628b44c1857f33e839b06c77",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77"
        },
        "name": "foo_admin"
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
    "role": {
        "domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
        "id": "306b6d6f97084df983a6f2fa30cf1163",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
        },
        "name": "foo_domain_role"
    }
}

Changed in keystone:
status: New → Confirmed
Changed in keystone:
milestone: none → newton-3
importance: Undecided → Medium
Changed in keystone:
milestone: newton-3 → none
Steve Martinelli (stevemar) wrote :

I thought the point of having DSR and implied roles was that this exact scenario should be allowed. Since the domain specific roles won't be in the token, this way they get roles when the implied roles are in the token? Or do i have this reversed?

Guang Yee (guang-yee) wrote :

Steve, I think you may have it in reversed. DSR should be able to imply global roles, but not the other way around.

1. DSR should only be visible within its domain.
2. Its useless to have a global rule imply a DSR as DSR does not appear in the token.

Fix proposed to branch: master
Review: https://review.openstack.org/364216

Changed in keystone:
assignee: nobody → Mikhail Nikolaenko (mnikolaenko)
status: Confirmed → In Progress
Changed in keystone:
milestone: none → newton-rc1

Reviewed: https://review.openstack.org/364216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=305cb8a9e3d147fa06de4dce5edd535b7929291c
Submitter: Jenkins
Branch: master

commit 305cb8a9e3d147fa06de4dce5edd535b7929291c
Author: Mikhail Nikolaenko <email address hidden>
Date: Thu Sep 1 10:12:45 2016 +0000

    Block global roles implying domain specific roles

    Adds a check, which prohibits global role imply a domain specific role.

    Change-Id: Ibd478c45a3fe28b194226ad562ee198ba3eb1b7c
    Closes-Bug: #1590578

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 10.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers