yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81433
[Bug 1858012] Re: List role assignments by role ID may leak extra system assignments outside of filter
Reviewed: https://review.opendev.org/700826
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537
Submitter: Zuul
Branch: master
commit c2d88306621f890a857acd6831ea8bf073f55537
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date: Tue Dec 31 16:22:34 2019 -0800
Fix role_assignments role.id filter
Without this patch, if there are multiple role assignments on the system
and they are not all the same role, querying for role assignments with
/v3/role_assignments?role.id={role_id} may leak some role assignments
that don't match the role_id, making the returned results incorrect.
This patch fixes the issue by using a list comprehension instead of a
for loop over a list that was being modified within the loop.
Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c
Closes-bug: #1858012
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1858012
Title:
List role assignments by role ID may leak extra system assignments
outside of filter
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
If there are multiple role assignments on the system and some of the
assignments use different roles, it's possible for the
/v3/role_assignments?role.id={role_id} query to include some system
role assignments that don't match the role ID. For example:
> curl -H "x-auth-token: $token"
http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645
| jq .
{
"role_assignments": [
{
"links": {
"assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
},
"scope": {
"domain": {
"id": "default"
}
},
"user": {
"id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
},
"role": {
"id": "06918d98646d4584b4188671f1cef645"
}
},
{
"links": {
"assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"
},
"scope": {
"system": {
"all": true
}
},
"user": {
"id": "3cb997afc0ee40048bb7bdfa3ecac0e4"
},
"role": {
"id": "06918d98646d4584b4188671f1cef645"
}
},
{
"links": {
"assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506"
},
"scope": {
"system": {
"all": true
}
},
"user": {
"id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2"
},
"role": {
"id": "eefef753f4734dd78a4ffcc574f5f506"
}
},
{
"links": {
"assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3"
},
"scope": {
"system": {
"all": true
}
},
"user": {
"id": "ac265ddf2d0449d5aed59f38904b4a8d"
},
"role": {
"id": "6832b2d3d5254ffa813c0bbf5b9c73f3"
}
}
],
"links": {
"next": null,
"self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645",
"previous": null
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1858012/+subscriptions
References