yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1590578] [NEW] global role should not be able to imply domain-specific role

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Guang Yee <1590578@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Jun 2016 21:30:59 -0000
Reply-to: Bug 1590578 <1590578@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Global roles should only be able to imply other global roles, it should
not be able to imply domain-specific roles. Domain-specific role
visibility should be limited to its owning domain only.

To reproduce:

1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a global role "foo_admin".
3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id>
4. list imply roles for "foo_admin" and you'll see the imply relationship 

vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool
{
    "role_inference": {
        "implies": [
            {
                "id": "306b6d6f97084df983a6f2fa30cf1163",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
                },
                "name": "foo_domain_role"
            },
            {
                "id": "c256b7047f514515b3138d9efb594b21",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21";
                },
                "name": "bar_admin"
            }
        ],
        "prior_role": {
            "id": "45038d5e628b44c1857f33e839b06c77",
            "links": {
                "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77";
            },
            "name": "foo_admin"
        }
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool
{
    "role": {
        "domain_id": null,
        "id": "45038d5e628b44c1857f33e839b06c77",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77";
        },
        "name": "foo_admin"
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
    "role": {
        "domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
        "id": "306b6d6f97084df983a6f2fa30cf1163",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
        },
        "name": "foo_domain_role"
    }
}

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590578

Title:
  global role should not be able to imply domain-specific role

Status in OpenStack Identity (keystone):
  New

Bug description:
  Global roles should only be able to imply other global roles, it
  should not be able to imply domain-specific roles. Domain-specific
  role visibility should be limited to its owning domain only.

  To reproduce:

  1. create a domain-specific role "foo_domain_role" in domain "foo".
  2. create a global role "foo_admin".
  3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id>
  4. list imply roles for "foo_admin" and you'll see the imply relationship 

  vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool
  {
      "role_inference": {
          "implies": [
              {
                  "id": "306b6d6f97084df983a6f2fa30cf1163",
                  "links": {
                      "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
                  },
                  "name": "foo_domain_role"
              },
              {
                  "id": "c256b7047f514515b3138d9efb594b21",
                  "links": {
                      "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21";
                  },
                  "name": "bar_admin"
              }
          ],
          "prior_role": {
              "id": "45038d5e628b44c1857f33e839b06c77",
              "links": {
                  "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77";
              },
              "name": "foo_admin"
          }
      }
  }
  vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool
  {
      "role": {
          "domain_id": null,
          "id": "45038d5e628b44c1857f33e839b06c77",
          "links": {
              "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77";
          },
          "name": "foo_admin"
      }
  }
  vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
  {
      "role": {
          "domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
          "id": "306b6d6f97084df983a6f2fa30cf1163",
          "links": {
              "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
          },
          "name": "foo_domain_role"
      }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590578/+subscriptions
Follow ups

[Bug 1590578] Re: global role should not be able to imply domain-specific role
From: OpenStack Infra, 2016-09-05