OpenStack Identity (keystone)

project admin unable to fetch it's own domain

Bug #1810983 reported by Guang Yee
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Committed
Medium
Lance Bragstad
OpenStack Identity (keystone) stein-2
Queens
In Progress
Medium
Guang Yee
Rocky
Fix Committed
Medium
Guang Yee

Bug Description

NOTE: This bug impacts stable/rocky and possibly stable/queens release. Master branch is not impacted.

The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain" API no longer works in stable/rocky.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18

This resulted in domain admin unable to fetch his own domain. Looks like we switched over to oslo_context around stable/queens timeframe. And the token (TokenModel) is no longer in the auth_context which caused this rule to fail.

'token.project.domain.id:%(target.domain.id)s'

The problem was corrected recently in the master branch by this patch

https://review.openstack.org/#/c/605539/

where to token is added back to the auth_context.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

On master, this is a duplicate bug [0], which has already been fixed [1].

Keeping this as a separate bug for now since the fix to the stable branches are going to be different. We can't backport the fix to master because it requires updated versions of oslo.policy.

[0] https://bugs.launchpad.net/keystone/+bug/1794864
[1] https://review.openstack.org/#/c/605539/

Changed in keystone:
status: New → Fix Committed
importance: Undecided → Medium
Revision history for this message
Guang Yee (guang-yee) wrote :

After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.

'token.project.domain.id'

This capability was taken away by the removal of KeystoneToken from the model by this patch.

https://review.openstack.org/#/c/577567

KeystoneToken used to be a subclass of dict which stores the token ref json.

https://github.com/openstack/keystone/blob/stable/queens/keystone/models/token_model.py#L47

TokenModel, on the other hand, is an object.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/models/token_model.py#L35

From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context.to_policy_values() for credential match instead. So we can change the rule to either 'token.project.domain_id' or simply 'project_domain_id'.

summary: - domain admin unable to fetch domain
+ project admin unable to fetch it's own domain
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/629692

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-3
milestone: stein-3 → stein-2
assignee: nobody → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/629692
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2e307ed4d526e21cddf7551f160b587b89360e4
Submitter: Zuul
Branch: stable/rocky

commit a2e307ed4d526e21cddf7551f160b587b89360e4
Author: Guang Yee <email address hidden>
Date: Wed Jan 9 16:07:36 2019 -0800

    correct the admin_or_target_domain rule

    With the removal of KeystoneToken from the token model, we longer
    have the ability to use the token data syntax in the policy rules.
    This change broke backward compatibility for those is deploying
    customized Keystone policies. Unfortunately, we can't go back
    to KeystoneToken model as the change was tightly coupled with
    the other refactored authorization functionalities.

    Since the scope information is now available in the credential
    dictionary, we can just make use of it instead. Those who have
    custom policies must update their policy files accordingly.

    Change-Id: I83eae5c390d720da05e91264519ae01e8ca32159
    closes-bug: 1810983

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/636222

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/queens)

Change abandoned by guang-yee (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/636222
Reason: Not needed.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.1.0

This issue was fixed in the openstack/keystone 14.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.