yahoo-eng-team team mailing list archive

[Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>]

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435396

Title:
  No notifications for role grants using v2

Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  
  If you use the v3 API to add or remove role grants, you get notifications that it happened, but if you use the v2.0 API, you don't get notifications.

  Keystone needs to send notifications when the v2 API is used, also.

  For example, start with devstack, then grant a role:

  $ keystone user-role-add --user demo --tenant admin --role admin
     - gets a notification for identity.authenticate, but none for identity.created.role_assignment

  Same for revoke:

  $ keystone user-role-remove --user demo --tenant admin --role admin
     - gets a notification for identity.authenticate, but none for identity.deleted.role_assignment

  v3 works fine:

  $ curl -X PUT -H "X-Auth-Token: $TOKEN"
  http://localhost:5000/v3/projects/$PROJECT_ID/users/$USER_ID/roles/$ROLE_ID

  $ curl -X DELETE -H "X-Auth-Token: $TOKEN"
  http://localhost:5000/v3/projects/$PROJECT_ID/users/$USER_ID/roles/$ROLE_ID

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1435396/+subscriptions