OpenStack Identity (keystone)

System scoped tokens don't expand role assignments

Bug #1788694 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Lance Bragstad
OpenStack Identity (keystone) stein-1

Bug Description

In Rocky keystone add support for two additional roles, one called 'reader' and the other called 'member'. These are in addition to the 'admin' role that has been supported for some time.

Since there is now more than one officially supported role, it was decided to imply relationships between them. The 'admin' role implies 'member' which implies 'reader'. This means users with a 'member' role assignment on a target get the 'reader' role implied. Users with the 'admin' role assignment on a target get the 'member' and 'reader' roles implied. This helps simplify assignment structure.

This information should be relayed in token response bodies and appears to be the case for project-scoped tokens [0]. System scoped tokens however are lacking the expanded role assignments via implied roles in the response body [1].

To recreate:

 - authenticate for a project-scoped token as a user with at least the member role on a project
 - observe that the token response body contains both 'member' and 'reader'
 - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
 - observe that the token response body only contains a single role instead of all implied roles

[0] http://paste.openstack.org/show/728709/
[1] http://paste.openstack.org/show/728708/

See original description
Lance Bragstad (lbragstad)
description: updated
Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: rocky-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/596356

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/596357

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/596356
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Submitter: Zuul
Branch: master

commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/596357
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9051d403a336e082f8e699d2b826f1db55ddbd18
Submitter: Zuul
Branch: master

commit 9051d403a336e082f8e699d2b826f1db55ddbd18
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 14:45:47 2018 +0000

    Expand implied roles in system-scoped tokens

    The implementation for system-scoped tokens lacked support for
    expanding implied roles. This patch modifies the token model so that
    it generates implied roles on the system in the token response.

    Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17
    Closes-Bug: 1788694

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/689586

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/690156

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/rocky)

Reviewed: https://review.opendev.org/689586
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6
Submitter: Zuul
Branch: stable/rocky

commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    This change is being backported because it provides a helper method in
    the unit tests that another change relies on.

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694
    (cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/queens)

Reviewed: https://review.opendev.org/690156
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d57733f4e8849331935951e8a6c3f93d755fea3e
Submitter: Zuul
Branch: stable/queens

commit d57733f4e8849331935951e8a6c3f93d755fea3e
Author: Lance Bragstad <email address hidden>
Date: Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens

    This change is being backported because it provides a helper method in
    the unit tests that another change relies on.

    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.

    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.

    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694
    (cherry picked from commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8)
    (cherry picked from commit 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.