OpenStack Identity (keystone)

Bug #1806762
Comment #80

Comment 80 for bug 1806762

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26: Fix merged to keystone (master)

#80

Reviewed: https://review.openstack.org/623323
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Submitter: Zuul
Branch: master

commit d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Author: Lance Bragstad <email address hidden>
Date: Thu Dec 6 21:14:44 2018 +0000

Consolidate user protection tests

    This commit removes user policies from policy.v3cloudsample.json. By
    incorporating system-scope, domain-scope, project-scope, and default
    roles, we've effectively made these policies obsolete. We can simplify
    what we maintain and provide a more consistent, unified view of
    default user behavior by removing them.

    This commit also adds an important filter to the GET /v3/users API by
    making sure the users in the response are filtered properly if the API
    was called with a domain-scoped token. This is needed in case domain
    configuration isn't setup and short-circuits normalization of the
    domain ID, which sometimes comes from the token if it is
    domain-scoped. Regardless of domain configuration being used, we
    should protect against cases where data leaks across domains in the
    name of security.

    Finally, this commit moves a couple of tests from test_v3_protection
    to test_users protection tests that ensures we do reasonable filtering
    while normalizing domain IDs. The remaining tests from
    test_v3_protection have been removed because they are no longer
    applicable. These tests were testing an HTTP 403 was returned when a
    domain users attempted to filter users for domains they didn't have
    authorization on. We don't use this approach consistently in keystone.
    Most other places where filtering is implemented, we ignore invalid
    filters and instead return an empty list. For domain users attempting
    to fish information out of another domain, they will receive an empty
    list to be consistent with other parts of the API.

Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
Parial-Bug: 1806762

Reviewed:  https://review.openstack.org/623323
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Submitter: Zuul
Branch:    master

commit d2cc4c83c00256440eed0ed5b8d7131cc02d72d4
Author: Lance Bragstad <lbragstad@gmail.com>
Date:   Thu Dec 6 21:14:44 2018 +0000

Consolidate user protection tests
    
    This commit removes user policies from policy.v3cloudsample.json. By
    incorporating system-scope, domain-scope, project-scope, and default
    roles, we've effectively made these policies obsolete. We can simplify
    what we maintain and provide a more consistent, unified view of
    default user behavior by removing them.
    
    This commit also adds an important filter to the GET /v3/users API by
    making sure the users in the response are filtered properly if the API
    was called with a domain-scoped token. This is needed in case domain
    configuration isn't setup and short-circuits normalization of the
    domain ID, which sometimes comes from the token if it is
    domain-scoped.  Regardless of domain configuration being used, we
    should protect against cases where data leaks across domains in the
    name of security.
    
    Finally, this commit moves a couple of tests from test_v3_protection
    to test_users protection tests that ensures we do reasonable filtering
    while normalizing domain IDs. The remaining tests from
    test_v3_protection have been removed because they are no longer
    applicable. These tests were testing an HTTP 403 was returned when a
    domain users attempted to filter users for domains they didn't have
    authorization on. We don't use this approach consistently in keystone.
    Most other places where filtering is implemented, we ignore invalid
    filters and instead return an empty list. For domain users attempting
    to fish information out of another domain, they will receive an empty
    list to be consistent with other parts of the API.
    
    Change-Id: I60b2e2b8af172c369eab0eb2c29f056f5c98ad16
    Parial-Bug: 1806762