Mirantis OpenStack

Keystone ignores role_allow_update parameter for LDAP

Bug #1373256 reported by Dmitry Ukov on 2014-09-24

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Invalid	Medium	MOS Keystone	Mirantis OpenStack 7.0
5.0.x	Won't Fix	Medium	MOS Keystone	Mirantis OpenStack 5.0-updates
5.1.x	Won't Fix	Medium	MOS Keystone	Mirantis OpenStack 5.1.1
6.0.x	Won't Fix	Medium	MOS Keystone	Mirantis OpenStack 6.0-updates
6.1.x	Won't Fix	Medium	MOS Keystone	Mirantis OpenStack 6.1
7.0.x	Invalid	Medium	MOS Keystone	Mirantis OpenStack 7.0

Bug Description

Keystone is configured to use LDAP as backend. Option role_allow_update is set to "False". User to authenticate against LDAP has access to modify objects. Execute 'keystone user-role-add' and result will be successful (HTTP 200 or HTTP 201). User will be added in appropriate group in LDAP

Tags:

Dmitry Ukov (dukov) on 2014-09-24

summary:

- Keystone ignores role_allow_update parameter for lDAP
+ Keystone ignores role_allow_update parameter for LDAP

Revision history for this message

Dmitry Mescheryakov (dmitrymex) wrote on 2014-09-24:

Dmitry, please specify which version of MOS do you use. Preferably get output of http://<fuel-master-node>/api/version

Changed in mos:
status:	New → Incomplete

Revision history for this message

Dmitry Ukov (dukov) wrote on 2014-09-24:

We are using custom fuel
{"build_id": "2014-09-22_13-27-00",
"ostf_sha": "30e1befe8d7a8049472798010943052d31a3e8ed",
"build_number": "36",
"auth_required": true,
"api": "1.0",
"nailgun_sha": "99413a747dfc7fcc7001df82994e2848b9d882de",
"production": "docker",
"fuelmain_sha": "54a239adfab7c719941035b31999561f29bf15d5",
"astute_sha": "e18863d2dc0a982df541eed9ef20bd7b412fabc1",
"feature_groups": ["experimental"],
"release": "5.1",
"fuellib_sha": "7bbf9631e7683a2d50c3b60933eff852646d87ff"}

Keystone has been built from branch
openstack-ci/fuel-5.1/2014.1.1

Dmitry Mescheryakov (dmitrymex) on 2014-09-24

Changed in mos:
status:	Incomplete → Confirmed
importance:	Undecided → Medium
assignee:	nobody → MOS Keystone (mos-keystone)
tags:	added: keystone

Dmitry Mescheryakov (dmitrymex) on 2014-12-23

Changed in mos:
status:	Confirmed → Won't Fix

Dmitry Mescheryakov (dmitrymex) on 2015-04-13

Changed in mos:
milestone:	6.0.1 → 7.0

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-04-13:

role_allow_update is related to updating the role itself and not to assignment manipulation.
If the case is to restrict assignments in ldap backend it can be done using LDAP backend configuration.

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-04-13:

The question was answered in the aks.openstack.org thread: https://ask.openstack.org/en/question/6265/keystone-ldap-configuration/?answer=38251#post-id-38251

Dmitry Borodaenko (angdraug) on 2015-10-09

Changed in mos:
status:	Triaged → Invalid

Vitaly Sedelnik (vsedelnik) on 2016-03-10

tags:

added: wontfix-low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.