List role assignments by role ID may leak extra system assignments outside of filter

Bug #1858012 reported by Colleen Murphy on 2020-01-01
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Colleen Murphy

Bug Description

If there are multiple role assignments on the system and some of the assignments use different roles, it's possible for the /v3/role_assignments?role.id={role_id} query to include some system role assignments that don't match the role ID. For example:

> curl -H "x-auth-token: $token" http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645 | jq .

{
  "role_assignments": [
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "domain": {
          "id": "default"
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
      },
      "role": {
        "id": "eefef753f4734dd78a4ffcc574f5f506"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "ac265ddf2d0449d5aed59f38904b4a8d"
      },
      "role": {
        "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
      }
    }
  ],
  "links": {
    "next": null,
    "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645",
    "previous": null
  }
}

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/700826

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/700826
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537
Submitter: Zuul
Branch: master

commit c2d88306621f890a857acd6831ea8bf073f55537
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/704453

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/704453
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Submitter: Zuul
Branch: stable/train

commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/704726

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.opendev.org/704726
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=af470fd6394af9758a277f05744dd4544bac09e5
Submitter: Zuul
Branch: stable/stein

commit af470fd6394af9758a277f05744dd4544bac09e5
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
    (cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/704895

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.opendev.org/704895
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a50a8973d712df2330827916b3aaa9f5dbebd849
Submitter: Zuul
Branch: stable/rocky

commit a50a8973d712df2330827916b3aaa9f5dbebd849
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Conflicts:
           keystone/tests/unit/protection/v3/test_assignment.py

    Protection unit tests do not exist on this branch (stable/rocky) so
    there is no need to modify the test_assignment.py protection tests.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
    (cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)
    (cherry picked from commit af470fd6394af9758a277f05744dd4544bac09e5)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.2.0

This issue was fixed in the openstack/keystone 14.2.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers