OpenStack Identity (keystone)

List role assignments by role ID may leak extra system assignments outside of filter

Bug #1858012 reported by Colleen Murphy on 2020-01-01

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Colleen Murphy

Bug Description

If there are multiple role assignments on the system and some of the assignments use different roles, it's possible for the /v3/role_assignments?role.id={role_id} query to include some system role assignments that don't match the role ID. For example:

> curl -H "x-auth-token: $token" http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645 | jq .

{
  "role_assignments": [
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "domain": {
          "id": "default"
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
      },
      "role": {
        "id": "eefef753f4734dd78a4ffcc574f5f506"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "ac265ddf2d0449d5aed59f38904b4a8d"
      },
      "role": {
        "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
      }
    }
  ],
  "links": {
    "next": null,
    "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645",
    "previous": null
  }
}

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-01: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/700826

Changed in keystone:
assignee:	nobody → Colleen Murphy (krinkle)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-27: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/700826
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537
Submitter: Zuul
Branch: master

commit c2d88306621f890a857acd6831ea8bf073f55537
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-27: Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/704453

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/704453
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Submitter: Zuul
Branch: stable/train

commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

Fix role_assignments role.id filter

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/704726

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix merged to keystone (stable/stein)

Reviewed: https://review.opendev.org/704726
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=af470fd6394af9758a277f05744dd4544bac09e5
Submitter: Zuul
Branch: stable/stein

commit af470fd6394af9758a277f05744dd4544bac09e5
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

Fix role_assignments role.id filter

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
    (cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)