yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1261104] [NEW] trustee not able to perform role operations

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <stevemar@xxxxxxxxxx>
Date: Sun, 15 Dec 2013 07:21:15 -0000
Reply-to: Bug 1261104 <1261104@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

There is a conditional in the trust controller that is issued for all
role based operations (get/list/check) roles

_admin_trustor_trustee_only(context, trust, user_id):
    if (user_id != trust.get('trustor_user_id') and  user_id != trust.get('trustor_user_id') and context['is_admin']):
       raise exception.Forbidden()

There are two checks for matching trustor, when one should be trustee.
Also the admin check is pointless, since it should be just trustee or trustor.

** Affects: keystone
     Importance: Undecided
     Assignee: Steve Martinelli (stevemar)
         Status: In Progress

** Description changed:

  There is a conditional in the trust controller that is issued for all
  role based operations (get/list/check) roles
  
- _admin_trustor_trustee_only(context, trust, user_id):	37	def _trustor_trustee_only(trust, user_id):
-     if (user_id != trust.get('trustor_user_id') and  user_id != trust.get('trustor_user_id') and context['is_admin']):		
-        raise exception.Forbidden()
+ _admin_trustor_trustee_only(context, trust, user_id):
+     if (user_id != trust.get('trustor_user_id') and  user_id != trust.get('trustor_user_id') and context['is_admin']):
+        raise exception.Forbidden()
  
- There are two checks for matching trustor, when one should be trustee. 
+ There are two checks for matching trustor, when one should be trustee.
  Also the admin check is pointless, since it should be just trustee or trustor.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1261104

Title:
  trustee not able to perform role operations

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  There is a conditional in the trust controller that is issued for all
  role based operations (get/list/check) roles

  _admin_trustor_trustee_only(context, trust, user_id):
      if (user_id != trust.get('trustor_user_id') and  user_id != trust.get('trustor_user_id') and context['is_admin']):
         raise exception.Forbidden()

  There are two checks for matching trustor, when one should be trustee.
  Also the admin check is pointless, since it should be just trustee or trustor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1261104/+subscriptions

Follow ups

[Bug 1261104] Re: trustee not able to perform role operations
From: Thierry Carrez, 2014-01-22
[Bug 1261104] [NEW] trustee not able to perform role operations
From: Steve Martinelli, 2013-12-15

References

[Bug 1261104] [NEW] trustee not able to perform role operations
From: Steve Martinelli, 2013-12-15