yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1825991] [NEW] Usage of application credentials through group membership does not work

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jose Castro Leon <jose.castro.leon@xxxxxxx>
Date: Tue, 23 Apr 2019 13:35:09 -0000
Reply-to: Bug 1825991 <1825991@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If you have a user with a role assigned through group membership to a
project, you are able to create an application credential for that
project. But you can't use it later.

When you try to use it the authenticate method will throw 401
Unauthorized.

Checking a bit the code the issue seems to be in the token_model as it
only checks for direct assignments of the user missing all the roles
that can be inherited or coming through group membership.

https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L409-L421

** Affects: keystone
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1825991

Title:
Usage of application credentials through group membership does not
work

Status in OpenStack Identity (keystone):
New

Bug description:
If you have a user with a role assigned through group membership to a
project, you are able to create an application credential for that
project. But you can't use it later.

When you try to use it the authenticate method will throw 401
Unauthorized.

Checking a bit the code the issue seems to be in the token_model as it
only checks for direct assignments of the user missing all the roles
that can be inherited or coming through group membership.

https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L409-L421

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1825991/+subscriptions