Application credentials can't be used with group-only role assignments

Bug #1773967 reported by Colleen Murphy on 2018-05-29
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Vishakha Agarwal

Bug Description

If a user only has a role assignment on a project via a group membership, the user can create an application credential for the project but it cannot be used. If someone tries to use it, the debug logs will report:

 User <uuid> has no access to project <uuid>

We need to ensure that any application credential that is created can be used so long as it is not expired and the user exists and has access to the project they created the application credential for. If we decide that application credentials should not be valid for users who have no explicit role assignments on projects, then we should prevent it from being created and provide a useful message to the user.

This is probably related to https://bugs.launchpad.net/keystone/+bug/1589993

Changed in keystone:
status: New → Confirmed
importance: Undecided → High
Rajat Sharma (tajar29) on 2018-06-07
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Adam Young (ayoung) wrote :

Look at the trust code, as it solves this problem. Trusts and App Creds should use common code.

Changed in keystone:
assignee: Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal)
Edward Konetzko (konetzed) wrote :

Any update on this? I just ran into this issue and spent some time in IRC debugging with lbragstad I am willing to take a hacky patch I can apply to keystone 14 release. I am using Centos 7 with Openstack Rocky installed.

Thanks

Hi Edward,

I haven't started working over it. Pl feel free to assign this to yourself and push patch for it.

Thanks.

Colleen Murphy (krinkle) wrote :

Relatedly, application credentials don't work with implied roles. Since we now have the "member" role by default imply the "reader" role, the "reader" role appears in the token body and the user is allowed to create an application credential with it, but since it is not part of the role assignments table, the application credential can't then be used with just the "reader" role.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers