yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1197874] Re: User roles are replaced by group roles in v3 tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1197874@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Aug 2013 19:59:14 -0000
Reply-to: Bug 1197874 <1197874@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1197874

Title:
  User roles are replaced by group roles in v3 tokens

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone grizzly series:
  Fix Released

Bug description:
  For v3 tokens, if there are any group roles for the required scope
  (e.g. domain or project), then ONLY these roles will be returned, at
  the expense of any non-group (i.e directly assigned) roles.

  This is caused by incorrect coding in the driver calls of
  "get_roles_for_user_and_project()" and
  "get_roles_for_user_and_domain()" where a dict update method is used
  to try and add group roles into the user ones.  Incredibly, despite
  lots of unit testing around this area, there isn't one that checks
  that both user and group roles are returned.

  The v2 tokens are unaffected, since they don't call these functions,
  but rather add the group roles in manually.

  The problem was discovered when implementing
  https://blueprints.launchpad.net/keystone/+spec/authenticate-role-
  rationalization which looked to handle all such role combination in
  one place.  Since I suspect we will want to back-port this particular
  fix to stable/grizzly, I have broken this out as a separate patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1197874/+subscriptions