OpenStack Identity (keystone)

domain-specific role in one domain should not be able to imply a domain-specific role from another domain

Bug #1590583 reported by Guang Yee on 2016-06-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Sean Perry	OpenStack Identity (keystone) ocata-1 "o1"

Bug Description

By design, domain-specific roles are visible within their owning domains only. In other words, domain-specific role in domain "foo" should not be able to imply a domain-specific role from domain "bar".

To reproduce:

1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a domain-specific role "bar_domain_role" in domain "bar".
3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id>
4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list

vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool
{
    "role_inference": {
        "implies": [
            {
                "id": "3171089626224021afc0299a0c9b916e",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e"
                },
                "name": "bar_domain_role"
            }
        ],
        "prior_role": {
            "id": "306b6d6f97084df983a6f2fa30cf1163",
            "links": {
                "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
            },
            "name": "foo_domain_role"
        }
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
    "role": {
        "domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
        "id": "306b6d6f97084df983a6f2fa30cf1163",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
        },
        "name": "foo_domain_role"
    }
}

Raildo Mascena de Sousa Filho (raildo) on 2016-06-13

Changed in keystone:
status:	New → Confirmed

Steve Martinelli (stevemar) on 2016-08-02

Changed in keystone:
milestone:	none → newton-3
importance:	Undecided → Medium

Steve Martinelli (stevemar) on 2016-08-03

Changed in keystone:
milestone:	newton-3 → none

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-04: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/351264

Changed in keystone:
assignee:	nobody → Mikhail Nikolaenko (mnikolaenko)
status:	Confirmed → In Progress

Steve Martinelli (stevemar) on 2016-08-15

Changed in keystone:
milestone:	none → newton-3

OpenStack Infra (hudson-openstack) on 2016-08-18

Changed in keystone:
assignee:	Mikhail Nikolaenko (mnikolaenko) → Steve Martinelli (stevemar)

OpenStack Infra (hudson-openstack) on 2016-08-21

Changed in keystone:
assignee:	Steve Martinelli (stevemar) → Mikhail Nikolaenko (mnikolaenko)

Revision history for this message

Adam Young (ayoung) wrote on 2016-08-22:

Is this really a problem? And...why not?

Steve Martinelli (stevemar) on 2016-08-22

Changed in keystone:
milestone:	newton-3 → none

OpenStack Infra (hudson-openstack) on 2016-09-07

Changed in keystone:
assignee:	Mikhail Nikolaenko (mnikolaenko) → Sean Perry (sean-perry-a)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-22:

Fix proposed to branch: master
Review: https://review.openstack.org/374463

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-26: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/374463
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e88097f4c0245439d15df490f4b097f2e9def9c9
Submitter: Jenkins
Branch: master

commit e88097f4c0245439d15df490f4b097f2e9def9c9
Author: Sean Perry <email address hidden>
Date: Wed Sep 21 16:59:47 2016 -0700

Add domain check in domain-specific role implication

Forbids implication between domain-specific roles from different domains

    Change-Id: I9d3b9747df04b425f8c708bb3436569f2baf47c8
    Co-Authored-By: Steve Martinelli <email address hidden>
    Co-Authored-By: Mikhail Nikolaenko <email address hidden>
    Closes-Bug: #1590583

Changed in keystone:
status:	In Progress → Fix Released

Steve Martinelli (stevemar) on 2016-09-26

Changed in keystone:
milestone:	none → ocata-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-10: Change abandoned on keystone (master)

Change abandoned by Mikhail Nikolaenko (<email address hidden>) on branch: master
Review: https://review.openstack.org/351264

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-17: Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.