Revoking "admin" role from a group invalidates domain admin's token

Bug #1590805 reported by Niranjana Adiga on 2016-06-09
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Unassigned

Bug Description

Steps to reproduce

1. Login as domain admin
2. Create a new group and grant "admin" role to it.
3. Group will be empty with no users added to it.(Domain admin won't be part of this group)
4. Now revoke "admin" role from this group.
5. Token for domain admin will be invalidated and he/she has to login again.

description: updated

According to your steps, you grant a group role, as you said, domain admin won't be part of this group, so the behavior is correct. If you want to domain admin still with this role, you should grant the role for user and not just for group.

Changed in keystone:
status: New → Invalid
Niranjana Adiga (nvadiga) wrote :

When domain admin is NOT part of the group, why his token should get invalidated when he revokes a role from the group?

Niranjana Adiga (nvadiga) wrote :

I am reopening this issue so that someone can have a second look at the problem?

summary: - Revoking "admin" role from a group invalidates user token
+ Revoking "admin" role from a group invalidates domain admin's token
Changed in keystone:
status: Invalid → New
Dolph Mathews (dolph) wrote :

This is either a legitimate bug, or there's an unfortunate technical limitation requiring keystone to revoke more tokens than strictly necessary in the name of performance vs security.

tags: added: revoke
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Lance Bragstad (lbragstad) wrote :

Here is what I've done to try and recreate this bug.

1.) Get a token scoped to the default domain with my admin user
2.) Create a new group under the default domain
3.) Create a new project under the default domain
4.) Assign the new group the admin role on the new project
5.) Confirm that the token from step 1 is still valid using the validate token API
6.) Remove the admin role from new group on the new project
7.) Confirm that the token from step 1 is still valid using the validate token API

I was able to successfully validate the token from step 1 in both steps 5 and 7.

Niranjana, is there anything different about how I've set things up or recreated the bug compared to what you have locally?

Lance Bragstad (lbragstad) wrote :

FWIW - I am using keystone as of 5f7377f5abaf46e491d9c580ec59547cd8478aa3.

Lance Bragstad (lbragstad) wrote :

Please feel free to reopen the bug if there is additional information for the report.

Changed in keystone:
status: Triaged → Incomplete
Niranjana Adiga (nvadiga) wrote :

Lance, it was not Project role assignment but Domain role assignment to a Group. Here the updated steps with REST commands.

1.) Get a token scoped to the default domain with my admin user
2.) Create a new group under the default domain (POST /v3/groups)
3.) Assign admin role to this group on domain ( PUT /v3/domains/default/groups/{group_id}/roles/{admin_role_id} )
4.) Revoke admin role from this group ( DELETE /v3/domains/default/groups/{group_id}/roles{admin_role_id}
5.) Now token generated in Step 1 will be invalid.

Changed in keystone:
status: Incomplete → New
Steve Martinelli (stevemar) wrote :

When a role is revoked on a group at the domain level we are aggressive and revoke all tokens that match the domain and role. In your case, the domain and role you are revoking (default + admin) are the same ones you are using to auth! Note that this only happens with groups, and if you decided to give the group a role that you are not using, then this wouldn't happen.

I believe the intention here was for (as Dolph said in comment #4) security vs performance.

See the code here: https://github.com/openstack/keystone/blob/94e83aff172feee3874604ab1a92d4038be4965f/keystone/assignment/core.py#L380-L402

This bug doesn't seem like something that can be routinely hit in practice. I'd rather not decrease security in this specific case, since the only workaround I can think of would be to revoke tokens that match all 3 criteria (domain + group + role)

Changed in keystone:
importance: Medium → Low
Morgan Fainberg (mdrnstm) wrote :

I am going to agree with stevemar here. We can match all three criteria. I'm marking this as wishlist.

Changed in keystone:
status: New → Triaged
importance: Low → Wishlist
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

I think the changes are already done. I would request the bug reporter to close it.

https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L356

Thanks

Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → nobody
Colleen Murphy (krinkle) wrote :

Agreed, this looks like this was fixed in https://review.openstack.org/440281 , please reopen if you disagree

Changed in keystone:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers