OpenStack Identity (keystone)

Token API doesn't use default roles

Bug #1818844 reported by Lance Bragstad on 2019-03-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad

Bug Description

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The token API doesn't incorporate these defaults into its default policies [1], but it should.

For example, a system reader should be able to validate tokens for other users, but only system administrators should be able to revoke them (since it's technically a writeable API).

Building these roles into the token API will make it easier for system users who aren't administrators to diagnose token issues for users.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc

Tags:

Lance Bragstad (lbragstad) on 2019-03-06

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: policy
tags:	added: default-roles

Colleen Murphy (krinkle) on 2019-03-12

Changed in keystone:
milestone:	none → stein-rc1

Colleen Murphy (krinkle) on 2019-03-20

Changed in keystone:
milestone:	stein-rc1 → none

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/665231

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-19: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/665231
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=092570fc5ef43497c29cf174bfff43323a49fb58
Submitter: Zuul
Branch: master

commit 092570fc5ef43497c29cf174bfff43323a49fb58
Author: Lance Bragstad <email address hidden>
Date: Thu Jun 13 20:12:56 2019 +0000

Implement system scope and default roles for token API

    This commit adds protection testing for the token API along with
    changes to default policies to properly consume system-scope and
    default roles.

    Originally, this work was going to include the ability for project and
    domain administrator to validate, check, or revoke tokens within the
    context of their authorization (e.g., a domain administrator could
    revoke tokens on projects within their domain). This seems like extra
    work for not much benefit since we're using bearer tokens. The holder
    of the token can do anything with that token, which means they can
    validate it or revoke it without using their own token. Adding
    project and domain administrator support seems unnecessary given the
    existing functionality. If someone comes forward asking for this
    functionality, we can re-evaluate the effort. For now, this patch is
    limited to system user support, allowing them to validate, check, and
    revoke any token in the system. Service users can still validate
    tokens on behalf of users. Users can do anything they wish with their
    own tokens.

This commit also bumps the minimum version of oslo.log so that we can
use the official TRAIN deprecated release marker.

    Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3
    Closes-Bug: 1818844
    Closes-Bug: 1750676

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.