yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1385533] Re: Domain tokens issued from a saml2 auth incorrectly includes group roles marked as inherited

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chuck Short <chuck.short@xxxxxxxxxxxxx>
Date: Thu, 05 Feb 2015 15:12:44 -0000
Reply-to: Bug 1385533 <1385533@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/juno
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1385533

Title:
  Domain tokens issued from a saml2 auth incorrectly includes group
  roles marked as inherited

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone juno series:
  Fix Released

Bug description:
  When building the roles in a Keystone  token from a saml2 token, we
  call assignment_api.get_roles_for_groups() to add in any group roles.
  This appears to ignore the inheritance flag on the assignment - and
  puts in all group roles whether inherited or not.  This means the
  wrong roles can end up in the resulting Keystone token.

  The implication is that domain scoped tokens would incorrectly get
  roles that were meant to be inherited (only) to projects within that
  domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1385533/+subscriptions

References

[Bug 1385533] [NEW] Tokens issued from a saml2 auth ignore inheritance of group roles
From: Henry Nash, 2014-10-25