System scoped tokens don't expand role assignments

Bug #1788694 reported by Lance Bragstad on 2018-08-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad

Bug Description

In Rocky keystone add support for two additional roles, one called 'reader' and the other called 'member'. These are in addition to the 'admin' role that has been supported for some time.

Since there is now more than one officially supported role, it was decided to imply relationships between them. The 'admin' role implies 'member' which implies 'reader'. This means users with a 'member' role assignment on a target get the 'reader' role implied. Users with the 'admin' role assignment on a target get the 'member' and 'reader' roles implied. This helps simplify assignment structure.

This information should be relayed in token response bodies and appears to be the case for project-scoped tokens [0]. System scoped tokens however are lacking the expanded role assignments via implied roles in the response body [1].

To recreate:

 - authenticate for a project-scoped token as a user with at least the member role on a project
 - observe that the token response body contains both 'member' and 'reader'
 - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
 - observe that the token response body only contains a single role instead of all implied roles

[0] http://paste.openstack.org/show/728709/
[1] http://paste.openstack.org/show/728708/

description: updated
Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: rocky-backport-potential

Related fix proposed to branch: master
Review: https://review.openstack.org/596356

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/596356
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Submitter: Zuul
Branch: master

commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/596357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9051d403a336e082f8e699d2b826f1db55ddbd18
Submitter: Zuul
Branch: master

commit 9051d403a336e082f8e699d2b826f1db55ddbd18
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 14:45:47 2018 +0000

    Expand implied roles in system-scoped tokens

    The implementation for system-scoped tokens lacked support for
    expanding implied roles. This patch modifies the token model so that
    it generates implied roles on the system in the token response.

    Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17
    Closes-Bug: 1788694

Changed in keystone:
milestone: none → stein-1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Reviewed: https://review.opendev.org/689586
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6
Submitter: Zuul
Branch: stable/rocky

commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    This change is being backported because it provides a helper method in
    the unit tests that another change relies on.

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694
    (cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)

tags: added: in-stable-rocky

Reviewed: https://review.opendev.org/690156
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d57733f4e8849331935951e8a6c3f93d755fea3e
Submitter: Zuul
Branch: stable/queens

commit d57733f4e8849331935951e8a6c3f93d755fea3e
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    This change is being backported because it provides a helper method in
    the unit tests that another change relies on.

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694
    (cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)
    (cherry picked from commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers