yahoo-eng-team team mailing list archive

[Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

When building the roles in a Keystone  token from a saml2 token, we call
assignment_api.get_roles_for_groups() to add in any group roles.  This
appears to ignore the inheritance flag on the assignment - and puts in
all group roles whether inherited or not.  This means the wrong roles
can end up in the resulting Keystone token.

** Affects: keystone
     Importance: High
         Status: New

** Changed in: keystone
   Importance: Undecided => High

** Description changed:

  When building the roles in a Keystone  token from a saml2 token, we call
  assignment_api.get_roles_for_groups() to add in any group roles.  This
  appears to ignore the inheritance flag on the assignment - and puts in
- all roles whether inherited or not.  This means the wrong roles can end
- up in the resulting Keystone token
+ all group roles whether inherited or not.  This means the wrong roles
+ can end up in the resulting Keystone token.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1385533

Title:
  Tokens issued from a saml2 auth ignore inheritance of group roles

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When building the roles in a Keystone  token from a saml2 token, we
  call assignment_api.get_roles_for_groups() to add in any group roles.
  This appears to ignore the inheritance flag on the assignment - and
  puts in all group roles whether inherited or not.  This means the
  wrong roles can end up in the resulting Keystone token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1385533/+subscriptions