OpenStack Identity (keystone)

  1. Bug #1873290
  2. Comment #42

Comment 42 for bug 1873290

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/725885
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6c73690f779a42a5c62914b6bc37f0ac2f41a3e3
Submitter: Zuul
Branch: master

commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 20:35:46 2020 -0700

    Ensure OAuth1 authorized roles are respected

    Without this patch, when an OAuth1 request token is authorized with a
    limited set of roles, the roles for the access token are ignored when
    the user uses it to request a keystone token. This means that user of an
    access token can use it to escallate their role assignments beyond what
    was authorized by the creator. This patch fixes the issue by ensuring
    the token model accounts for an OAuth1-scoped token and correctly
    populating the roles for it.

    Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
    Closes-bug: #1873290