List role assignments by role ID may leak extra system assignments outside of filter

Bug #1858012 reported by Colleen Murphy on 2020-01-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Colleen Murphy

Bug Description

If there are multiple role assignments on the system and some of the assignments use different roles, it's possible for the /v3/role_assignments?role.id={role_id} query to include some system role assignments that don't match the role ID. For example:

> curl -H "x-auth-token: $token" http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645 | jq .

{
  "role_assignments": [
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "domain": {
          "id": "default"
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
      },
      "role": {
        "id": "eefef753f4734dd78a4ffcc574f5f506"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3"
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "ac265ddf2d0449d5aed59f38904b4a8d"
      },
      "role": {
        "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
      }
    }
  ],
  "links": {
    "next": null,
    "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645",
    "previous": null
  }
}

Fix proposed to branch: master
Review: https://review.opendev.org/700826

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress

Reviewed: https://review.opendev.org/700826
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537
Submitter: Zuul
Branch: master

commit c2d88306621f890a857acd6831ea8bf073f55537
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/704453
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Submitter: Zuul
Branch: stable/train

commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)

tags: added: in-stable-train

Reviewed: https://review.opendev.org/704726
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=af470fd6394af9758a277f05744dd4544bac09e5
Submitter: Zuul
Branch: stable/stein

commit af470fd6394af9758a277f05744dd4544bac09e5
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
    (cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)

tags: added: in-stable-stein

Reviewed: https://review.opendev.org/704895
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a50a8973d712df2330827916b3aaa9f5dbebd849
Submitter: Zuul
Branch: stable/rocky

commit a50a8973d712df2330827916b3aaa9f5dbebd849
Author: Colleen Murphy <email address hidden>
Date: Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter

    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.

    Conflicts:
           keystone/tests/unit/protection/v3/test_assignment.py

    Protection unit tests do not exist on this branch (stable/rocky) so
    there is no need to modify the test_assignment.py protection tests.

    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012
    (cherry picked from commit c2d88306621f890a857acd6831ea8bf073f55537)
    (cherry picked from commit 4d413f1eba2d1e6b16ecd57fa27de528dd0f67cb)
    (cherry picked from commit af470fd6394af9758a277f05744dd4544bac09e5)

tags: added: in-stable-rocky

This issue was fixed in the openstack/keystone 14.2.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers