← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1858012] Re: List role assignments by role ID may leak extra system assignments outside of filter

 

Reviewed:  https://review.opendev.org/700826
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537
Submitter: Zuul
Branch:    master

commit c2d88306621f890a857acd6831ea8bf073f55537
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date:   Tue Dec 31 16:22:34 2019 -0800

    Fix role_assignments role.id filter
    
    Without this patch, if there are multiple role assignments on the system
    and they are not all the same role, querying for role assignments with
    /v3/role_assignments?role.id={role_id} may leak some role assignments
    that don't match the role_id, making the returned results incorrect.
    This patch fixes the issue by using a list comprehension instead of a
    for loop over a list that was being modified within the loop.
    
    Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
    Closes-bug: #1858012


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1858012

Title:
  List role assignments by role ID may leak extra system assignments
  outside of filter

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  If there are multiple role assignments on the system and some of the
  assignments use different roles, it's possible for the
  /v3/role_assignments?role.id={role_id} query to include some system
  role assignments that don't match the role ID. For example:

  > curl -H "x-auth-token: $token"
  http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645
  | jq .

  {
    "role_assignments": [
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
        },
        "scope": {
          "domain": {
            "id": "default"
          }
        },
        "user": {
          "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
        },
        "role": {
          "id": "06918d98646d4584b4188671f1cef645"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
        },
        "role": {
          "id": "06918d98646d4584b4188671f1cef645"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
        },
        "role": {
          "id": "eefef753f4734dd78a4ffcc574f5f506"
        }
      },
      {
        "links": {
          "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3";
        },
        "scope": {
          "system": {
            "all": true
          }
        },
        "user": {
          "id": "ac265ddf2d0449d5aed59f38904b4a8d"
        },
        "role": {
          "id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
        }
      }
    ],
    "links": {
      "next": null,
      "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645";,
      "previous": null
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1858012/+subscriptions


References