Ubuntu
keystone package

Application credentials can't be used with group-only role assignments

Bug #1773967 reported by Colleen Murphy
76
This bug affects 12 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Jose Castro Leon
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
keystone (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If a user only has a role assignment on a project via a group membership, the user can create an application credential for the project but it cannot be used. If someone tries to use it, the debug logs will report:

 User <uuid> has no access to project <uuid>

We need to ensure that any application credential that is created can be used so long as it is not expired and the user exists and has access to the project they created the application credential for. If we decide that application credentials should not be valid for users who have no explicit role assignments on projects, then we should prevent it from being created and provide a useful message to the user.

This is probably related to https://bugs.launchpad.net/keystone/+bug/1589993

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
Rajat Sharma (tajar29)
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Revision history for this message
Adam Young (ayoung) wrote :

Look at the trust code, as it solves this problem. Trusts and App Creds should use common code.

Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
Edward Konetzko (konetzed) wrote :

Any update on this? I just ran into this issue and spent some time in IRC debugging with lbragstad I am willing to take a hacky patch I can apply to keystone 14 release. I am using Centos 7 with Openstack Rocky installed.

Thanks

Revision history for this message
Vishakha Agarwal (vishakha.agarwal) wrote :

Hi Edward,

I haven't started working over it. Pl feel free to assign this to yourself and push patch for it.

Thanks.

Revision history for this message
Colleen Murphy (krinkle) wrote :

Relatedly, application credentials don't work with implied roles. Since we now have the "member" role by default imply the "reader" role, the "reader" role appears in the token body and the user is allowed to create an application credential with it, but since it is not part of the role assignments table, the application credential can't then be used with just the "reader" role.

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Jose Castro Leon (jose-castro-leon)
status: Confirmed → In Progress
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Encountered the same with a federation use-case. A user doesn't have direct role assignments for a project and the user is also not present in a group (in the keystone db) that has a role assignment on the project. However, the federated domain-scoped token and a project-scoped token created based on the federated one both have group membership information present => the user has the Member role on the project.

Trying to create an application credential (from Horizon) results in the following logged at the Keystone side:

(keystone.policy.backends.rules): 2019-05-14 09:01:42,703 DEBUG enforce identity:create_application_credential: {'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_id': None, 'domain_name': None, 'group_ids': ['a82a32cc8c8540afb47d0f568d035e91'], 'token': <TokenModel (audit_id=EhAR7yT8Q4-W1TURPGeXrg, audit_chain_id=['EhAR7yT8Q4-W1TURPGeXrg']) at 0x7f5b466ce550>, 'user_id': '7c2cd54542714c82a0854d4b159deaf2', 'user_domain_id': 'Federated', 'system_scope': None, 'project_id': '07d0c2ef8af340a9b2e07d2f82d5a65a', 'project_domain_id': '4787f8cd807f4d67bf5bf70b84fd3dc2', 'roles': ['Member'], 'is_admin_project': False, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []}

(keystone.common.wsgi): 2019-05-14 09:01:33,026 WARNING Invalid application credential: Could not find role assignment with role: f82ad8932d8f4f69ab4199aee3b4b736, user or group: 7c2cd54542714c82a0854d4b159deaf2, project, domain, or system: 07d0c2ef8af340a9b2e07d2f82d5a65a.

f82ad8932d8f4f69ab4199aee3b4b736 - Member role (global, domain == None)
7c2cd54542714c82a0854d4b159deaf2 - a shadow-mapped (federated) user
07d0c2ef8af340a9b2e07d2f82d5a65a - the target project.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

I filed a separate issue for what was described in #5 because the original bug description says that an application credential can be created, whereas in #5 it cannot be created and the failure happens before the application credential is persisted into the Keystone db.

https://bugs.launchpad.net/keystone/+bug/1832092

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/669886

Changed in keystone:
assignee: Jose Castro Leon (jose-castro-leon) → Gauvain Pocentek (gpocentek)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Gauvain Pocentek (<email address hidden>) on branch: master
Review: https://review.opendev.org/669886

Gauvain Pocentek (gpocentek)
Changed in keystone:
assignee: Gauvain Pocentek (gpocentek) → nobody
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/655166
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=14b25bc5d18842210cfffe1afdca475e848b84aa
Submitter: Zuul
Branch: master

commit 14b25bc5d18842210cfffe1afdca475e848b84aa
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967

Changed in keystone:
status: In Progress → Fix Released
Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Jose Castro Leon (jose-castro-leon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/676200

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in keystone (Ubuntu):
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein)

Reviewed: https://review.opendev.org/676200
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=933ea511d150ed2cbbd4265fc7513a9b3435baa2
Submitter: Zuul
Branch: stable/stein

commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/689575

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/694096

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.opendev.org/689575
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf83fc10569e7b52eeb52c0e164dfe36daeec309
Submitter: Zuul
Branch: stable/rocky

commit cf83fc10569e7b52eeb52c0e164dfe36daeec309
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
    (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/queens)

Reviewed: https://review.opendev.org/694096
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=578be15629a84d1edcfda546a93b7ccbb6959720
Submitter: Zuul
Branch: stable/queens

commit 578be15629a84d1edcfda546a93b7ccbb6959720
Author: Jose Castro Leon <email address hidden>
Date: Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership

    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.

    Conflicts:
        This change conflicts with newer branches because most of the
        logic in keystone/token/providers/common.py was refactored into
        keystone/models/token_model.py during the Rocky release. This
        refactor causes the stable/queens version to diverge from
        stable/rocky, stable/stein, and stable/train patches, although it
        is functionally equivalent to the approach used in later releases.

    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
    (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)
    (cherry picked from commit cf83fc10569e7b52eeb52c0e164dfe36daeec309)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.2.0

This issue was fixed in the openstack/keystone 14.2.0 release.

Chris MacNaughton (chris.macnaughton)
Changed in keystone (Ubuntu):
status: Confirmed → Fix Released
Changed in cloud-archive:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone queens-eol

This issue was fixed in the openstack/keystone queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.