project admin unable to fetch it's own domain

Bug #1810983 reported by Guang Yee on 2019-01-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned
Queens
Medium
Unassigned
Rocky
Medium
Guang Yee

Bug Description

NOTE: This bug impacts stable/rocky and possibly stable/queens release. Master branch is not impacted.

The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain" API no longer works in stable/rocky.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18

This resulted in domain admin unable to fetch his own domain. Looks like we switched over to oslo_context around stable/queens timeframe. And the token (TokenModel) is no longer in the auth_context which caused this rule to fail.

'token.project.domain.id:%(target.domain.id)s'

The problem was corrected recently in the master branch by this patch

https://review.openstack.org/#/c/605539/

where to token is added back to the auth_context.

Lance Bragstad (lbragstad) wrote :

On master, this is a duplicate bug [0], which has already been fixed [1].

Keeping this as a separate bug for now since the fix to the stable branches are going to be different. We can't backport the fix to master because it requires updated versions of oslo.policy.

[0] https://bugs.launchpad.net/keystone/+bug/1794864
[1] https://review.openstack.org/#/c/605539/

Changed in keystone:
status: New → Fix Committed
importance: Undecided → Medium
Guang Yee (guang-yee) wrote :

After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.

'token.project.domain.id'

This capability was taken away by the removal of KeystoneToken from the model by this patch.

https://review.openstack.org/#/c/577567

KeystoneToken used to be a subclass of dict which stores the token ref json.

https://github.com/openstack/keystone/blob/stable/queens/keystone/models/token_model.py#L47

TokenModel, on the other hand, is an object.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/models/token_model.py#L35

From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context.to_policy_values() for credential match instead. So we can change the rule to either 'token.project.domain_id' or simply 'project_domain_id'.

summary: - domain admin unable to fetch domain
+ project admin unable to fetch it's own domain
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers