yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1788694] Related fix merged to keystone (master)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1788694@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Oct 2018 20:34:56 -0000
Reply-to: Bug 1788694 <1788694@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/596356
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Submitter: Zuul
Branch:    master

commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Fri Aug 24 13:56:37 2018 +0000

    Add test case for expanding implied roles in system tokens
    
    If a user has a role assignment on the system, which implies another
    role assignment, the system-scoped token response should include
    both role assignments.
    
    This patch exposes a bug in the system-scoped token implementation
    where implied roles aren't expanded out before returning the
    token response to the user.
    
    Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
    Related-Bug: 1788694


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1788694

Title:
  System scoped tokens don't expand role assignments

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In Rocky keystone add support for two additional roles, one called
  'reader' and the other called 'member'. These are in addition to the
  'admin' role that has been supported for some time.

  Since there is now more than one officially supported role, it was
  decided to imply relationships between them. The 'admin' role implies
  'member' which implies 'reader'. This means users with a 'member' role
  assignment on a target get the 'reader' role implied. Users with the
  'admin' role assignment on a target get the 'member' and 'reader'
  roles implied. This helps simplify assignment structure.

  This information should be relayed in token response bodies and
  appears to be the case for project-scoped tokens [0]. System scoped
  tokens however are lacking the expanded role assignments via implied
  roles in the response body [1].

  To recreate:

   - authenticate for a project-scoped token as a user with at least the member role on a project
   - observe that the token response body contains both 'member' and 'reader'
   - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
   - observe that the token response body only contains a single role instead of all implied roles

  
  [0] http://paste.openstack.org/show/728709/
  [1] http://paste.openstack.org/show/728708/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1788694/+subscriptions

References

[Bug 1788694] [NEW] System scoped tokens don't expand role assignments
From: Lance Bragstad, 2018-08-23