yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1389752] Re: Project tokens issued from a saml2 auth are missing inherited group roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 28 Jan 2015 18:28:07 -0000
Reply-to: Bug 1389752 <1389752@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/juno
   Importance: Undecided
       Status: New

** Changed in: keystone/juno
   Importance: Undecided => High

** Changed in: keystone/juno
       Status: New => In Progress

** Changed in: keystone/juno
     Assignee: (unassigned) => Brant Knudson (blk-u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1389752

Title:
  Project tokens issued from a saml2 auth are missing inherited group
  roles

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone juno series:
  In Progress

Bug description:
  When building the roles in a Keystone token from a saml2 token, we
  call assignment_api.get_roles_for_groups() to add in any group roles.
  This appears to ignore the inheritance flag on the assignment - and
  puts in all group roles whether inherited or not. This means the wrong
  roles can end up in the resulting Keystone token.

  The implication is that project scoped tokens would not get any group
  roles that should be inherited from the domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1389752/+subscriptions

References

[Bug 1389752] [NEW] Project tokens issued from a saml2 auth are missing inherited group roles
From: Henry Nash, 2014-11-05