OpenStack Identity (keystone)

  1. Bug #968696
  2. Comment #72

Comment 72 for bug 968696

Revision history for this message
Marc Heckmann (marc-w-heckmann) wrote :

I'm not sure if this is still the best place to address the issue, but despite having patched my Newton based lab with commits ca73d296bd5a16435dd35cd0818f4b0a16bc2d02 and ef48072d94f780ebaacee8c3ddf02a68193fa74d ("Fix cloud_admin rule and ensure only project tokens can be cloud admin"), a domain scoped token is still marked as "is_admin_project=True". This has the effect that some projects treat a domain scoped token with the admin role on any given domain as Cloud Admin. This is the case in Neutron for instance.

This happens because when the token is initially created the function that populates the is_admin_project property doesn't set it since it's not a project token. The problem is that "is_admin_project" then defaults to true later on (to support legacy behavior). The "is_admin_project" property function that was added to the Token class in the previously mentioned patch never seems to get called either.

Maybe I'm wrong but a quick glance of Ocata code doesn't make me think that this has changed in that release.

The following quick patch fixes it for me:

--- keystone/token/providers/common.py.orig 2017-03-01 21:09:57.221278528 +0000
+++ keystone/token/providers/common.py 2017-03-01 21:09:51.134244716 +0000
@@ -315,11 +315,15 @@
         if not (admin_project_name and admin_project_domain_name):
             return # admin project not enabled

- project = token_data['project']
-
- token_data['is_admin_project'] = (
- project['name'] == admin_project_name and
- project['domain']['name'] == admin_project_domain_name)
+ # Since 'is_admin_project' only supported for project scoped tokens,
+ # return False if not project scoped
+ if 'project' in token_data:
+ project = token_data['project']
+ token_data['is_admin_project'] = (
+ project['name'] == admin_project_name and
+ project['domain']['name'] == admin_project_domain_name)
+ else:
+ token_data['is_admin_project'] = False

     def _get_roles_for_user(self, user_id, domain_id, project_id):
         roles = []
@@ -576,8 +580,7 @@
             token_data['bind'] = bind

         self._populate_scope(token_data, domain_id, project_id)
- if token_data.get('project'):
- self._populate_is_admin_project(token_data)
+ self._populate_is_admin_project(token_data)
         self._populate_user(token_data, user_id, trust)
         self._populate_roles(token_data, user_id, domain_id, project_id, trust,
                              access_token)