← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #81135

[Bug 1858012] [NEW] List role assignments by role ID may leak extra system assignments outside of filter

  Thread PreviousDate PreviousThread Next 
Public bug reported:

If there are multiple role assignments on the system and some of the
assignments use different roles, it's possible for the
/v3/role_assignments?role.id={role_id} query to include some system role
assignments that don't match the role ID. For example:

> curl -H "x-auth-token: $token"
http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645
| jq .

{
  "role_assignments": [
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
      },
      "scope": {
        "domain": {
          "id": "default"
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
      },
      "role": {
        "id": "06918d98646d4584b4188671f1cef645"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506";
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
      },
      "role": {
        "id": "eefef753f4734dd78a4ffcc574f5f506"
      }
    },
    {
      "links": {
        "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3";
      },
      "scope": {
        "system": {
          "all": true
        }
      },
      "user": {
        "id": "ac265ddf2d0449d5aed59f38904b4a8d"
      },
      "role": {
        "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
      }
    }
  ],
  "links": {
    "next": null,
    "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645";,
    "previous": null
  }
}

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1858012

Title:
  List role assignments by role ID may leak extra system assignments
  outside of filter

Status in OpenStack Identity (keystone):
  New

Bug description:
  If there are multiple role assignments on the system and some of the
  assignments use different roles, it's possible for the
  /v3/role_assignments?role.id={role_id} query to include some system
  role assignments that don't match the role ID. For example:

  > curl -H "x-auth-token: $token"
  http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645
  | jq .

  {
    "role_assignments": [
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
        },
        "scope": {
          "domain": {
            "id": "default"
          }
        },
        "user": {
          "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
        },
        "role": {
          "id": "06918d98646d4584b4188671f1cef645"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
        },
        "role": {
          "id": "06918d98646d4584b4188671f1cef645"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
        },
        "role": {
          "id": "eefef753f4734dd78a4ffcc574f5f506"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "ac265ddf2d0449d5aed59f38904b4a8d"
        },
        "role": {
          "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
        }
      }
    ],
    "links": {
      "next": null,
      "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645";,
      "previous": null
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1858012/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next