← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1242855] Re: [OSSA 2013-028] Removing role adds role with LDAP backend

 

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => icehouse-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242855

Title:
  [OSSA 2013-028] Removing role adds role with LDAP backend

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone grizzly series:
  Fix Committed
Status in Keystone havana series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Using the LDAP assignment backend, if you attempt to remove a role
  from a user on a tenant and the user doesn't have that role on the
  tenant then the user is actually granted the role on the tenant. Also,
  the role must not have been granted to anyone on the tenant before.

  To recreate

  0) Start with devstack, configured with LDAP (note especially to set
  KEYSTONE_ASSIGNMENT_BACKEND):

  In localrc,
   enable_service ldap
   KEYSTONE_IDENTITY_BACKEND=ldap
   KEYSTONE_ASSIGNMENT_BACKEND=ldap

  1) set up environment with OS_USERNAME=admin

  export OS_USERNAME=admin
  ...

  2) Create a new user, give admin role, list roles:

  $ keystone user-create --name blktest1 --pass blkpwd
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |                                  |
  | enabled  |               True               |
  |    id    | 3b71182dc36e45c6be4733d508201694 |
  |   name   |             blktest1             |
  +----------+----------------------------------+

  $ keystone user-role-add --user blktest1 --role admin --tenant service
  (no output)

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
  +----------------------------------+-------+----------------------------------+----------------------------------+
  |                id                |  name |             user_id              |            tenant_id             |
  +----------------------------------+-------+----------------------------------+----------------------------------+
  | 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
  +----------------------------------+-------+----------------------------------+----------------------------------+

  3) Remove a role from that user that they don't have (using otherrole
  here since devstack sets it up):

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name
  service user-role-remove --user blktest1 --role anotherrole --tenant
  service

  - Expected to fail with 404, but it doesn't!

  4) List roles as that user:

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
  +----------------------------------+-------------+----------------------------------+----------------------------------+
  |                id                |     name    |             user_id              |            tenant_id             |
  +----------------------------------+-------------+----------------------------------+----------------------------------+
  | 1c39fab0fa9a4a68b307e7ce1535c62b |    admin    | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
  | afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
  +----------------------------------+-------------+----------------------------------+----------------------------------+

  - Expected to not include the role that was just removed!

  5) Remove the role again:

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name
  service user-role-remove --user blktest1 --role anotherrole --tenant
  service

  - No errors, which I guess is expected since list just said they had
  the role...

  6) List roles, and now it's gone:

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
  +----------------------------------+-------+----------------------------------+----------------------------------+
  |                id                |  name |             user_id              |            tenant_id             |
  +----------------------------------+-------+----------------------------------+----------------------------------+
  | 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
  +----------------------------------+-------+----------------------------------+----------------------------------+

  7) Remove role again:

  $ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
  Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)

  - Strangely says user not found rather than role not assigned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242855/+subscriptions