Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.
Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
(cherry picked from commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3)
(cherry picked from commit ba89d27793c2d3a26ad95642660fa9bd820ed3be)
(cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
Reviewed: https:/ /review. opendev. org/725892 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=330911cee48 b5105ec121d96b2 3aed197551b561
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 330911cee48b510 5ec121d96b23aed 197551b561
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 20:35:46 2020 -0700
Ensure OAuth1 authorized roles are respected
Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.
Change-Id: I02f9836fbd4d7e 629653977fc3414 76cfd89859e 5c62914b6bc37f0 ac2f41a3e3) 26ad95642660fa9 bd820ed3be) 1d229d8557a8e4b 65256d6c53)
Closes-bug: #1873290
(cherry picked from commit 6c73690f779a42a
(cherry picked from commit ba89d27793c2d3a
(cherry picked from commit 5ff52dbaa208299