← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74411

[Bug 1788694] [NEW] System scoped tokens don't expand role assignments

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In Rocky keystone add support for two additional roles, one called
'reader' and the other called 'member'. These are in addition to the
'admin' role that has been supported for some time.

Since there is now more than one officially supported role, it was
decided to imply relationships between them. The 'admin' role implies
'member' which implies 'reader'. This means users with a 'member' role
assignment on a target get the 'reader' role implied. Users with the
'admin' role assignment on a target get the 'member' and 'reader' roles
implied. This helps simplify assignment structure.

This information should be relayed in token response bodies and appears
to be the case for project-scoped tokens [0]. System scoped tokens
however are lacking the expanded role assignments via implied roles in
the response body [1].

To recreate:

 - authenticate for a project-scoped token as a user with at least the member role on a project
 - observe that the token response body contains both 'member' and 'reader'
 - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
 - observe that the token response body only contains a single role instead of all implied roles


[0] http://paste.openstack.org/show/728709/
[1] http://paste.openstack.org/show/728708/

** Affects: keystone
     Importance: High
         Status: Triaged


** Tags: rocky-backport-potential

** Description changed:

  In Rocky keystone add support for two additional roles, one called
  'reader' and the other called 'member'. These are in addition to the
  'admin' role that has been supported for some time.
  
  Since there is now more than one officially supported role, it was
  decided to imply relationships between them. The 'admin' role implies
  'member' which implies 'reader'. This means users with a 'member' role
  assignment on a target get the 'reader' role implied. Users with the
  'admin' role assignment on a target get the 'member' and 'reader' roles
  implied. This helps simplify assignment structure.
  
  This information should be relayed in token response bodies and appears
  to be the case for project-scoped tokens [0]. System scoped tokens
  however are lacking the expanded role assignments via implied roles in
  the response body [1].
  
  To recreate:
  
-  - authenticate for a project-scoped token as a user with at least the member role on a project
-  - observe that the token response body contains both 'member' and 'reader'
-  - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
-  - observe that the token response body only contains a single role instead of all implied roles
+  - authenticate for a project-scoped token as a user with at least the member role on a project
+  - observe that the token response body contains both 'member' and 'reader'
+  - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
+  - observe that the token response body only contains a single role instead of all implied roles
+ 
+ 
+ [0] http://paste.openstack.org/show/728709/
+ [1] http://paste.openstack.org/show/728708/

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

** Tags added: rocky-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1788694

Title:
  System scoped tokens don't expand role assignments

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  In Rocky keystone add support for two additional roles, one called
  'reader' and the other called 'member'. These are in addition to the
  'admin' role that has been supported for some time.

  Since there is now more than one officially supported role, it was
  decided to imply relationships between them. The 'admin' role implies
  'member' which implies 'reader'. This means users with a 'member' role
  assignment on a target get the 'reader' role implied. Users with the
  'admin' role assignment on a target get the 'member' and 'reader'
  roles implied. This helps simplify assignment structure.

  This information should be relayed in token response bodies and
  appears to be the case for project-scoped tokens [0]. System scoped
  tokens however are lacking the expanded role assignments via implied
  roles in the response body [1].

  To recreate:

   - authenticate for a project-scoped token as a user with at least the member role on a project
   - observe that the token response body contains both 'member' and 'reader'
   - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
   - observe that the token response body only contains a single role instead of all implied roles

  
  [0] http://paste.openstack.org/show/728709/
  [1] http://paste.openstack.org/show/728708/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1788694/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next