yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #06269
[Bug 1242855] Re: [OSSA 2013-028] Removing role adds role with LDAP backend
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => icehouse-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242855
Title:
[OSSA 2013-028] Removing role adds role with LDAP backend
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone grizzly series:
Fix Committed
Status in Keystone havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Using the LDAP assignment backend, if you attempt to remove a role
from a user on a tenant and the user doesn't have that role on the
tenant then the user is actually granted the role on the tenant. Also,
the role must not have been granted to anyone on the tenant before.
To recreate
0) Start with devstack, configured with LDAP (note especially to set
KEYSTONE_ASSIGNMENT_BACKEND):
In localrc,
enable_service ldap
KEYSTONE_IDENTITY_BACKEND=ldap
KEYSTONE_ASSIGNMENT_BACKEND=ldap
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 3b71182dc36e45c6be4733d508201694 |
| name | blktest1 |
+----------+----------------------------------+
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
3) Remove a role from that user that they don't have (using otherrole
here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name
service user-role-remove --user blktest1 --role anotherrole --tenant
service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name
service user-role-remove --user blktest1 --role anotherrole --tenant
service
- No errors, which I guess is expected since list just said they had
the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)
- Strangely says user not found rather than role not assigned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242855/+subscriptions