OpenStack Identity (keystone)

global role should not be able to imply domain-specific role

Bug #1590578 reported by Guang Yee on 2016-06-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Mikhail Nikolaenko	OpenStack Identity (keystone) newton-rc1 "RC1"

Bug Description

Global roles should only be able to imply other global roles, it should not be able to imply domain-specific roles. Domain-specific role visibility should be limited to its owning domain only.

To reproduce:

1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a global role "foo_admin".
3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id>
4. list imply roles for "foo_admin" and you'll see the imply relationship

vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool
{
    "role_inference": {
        "implies": [
            {
                "id": "306b6d6f97084df983a6f2fa30cf1163",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
                },
                "name": "foo_domain_role"
            },
            {
                "id": "c256b7047f514515b3138d9efb594b21",
                "links": {
                    "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21"
                },
                "name": "bar_admin"
            }
        ],
        "prior_role": {
            "id": "45038d5e628b44c1857f33e839b06c77",
            "links": {
                "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77"
            },
            "name": "foo_admin"
        }
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool
{
    "role": {
        "domain_id": null,
        "id": "45038d5e628b44c1857f33e839b06c77",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77"
        },
        "name": "foo_admin"
    }
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
    "role": {
        "domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
        "id": "306b6d6f97084df983a6f2fa30cf1163",
        "links": {
            "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
        },
        "name": "foo_domain_role"
    }
}

Raildo Mascena de Sousa Filho (raildo) on 2016-06-13

Changed in keystone:
status:	New → Confirmed

Steve Martinelli (stevemar) on 2016-08-02

Changed in keystone:
milestone:	none → newton-3
importance:	Undecided → Medium

Steve Martinelli (stevemar) on 2016-08-03

Changed in keystone:
milestone:	newton-3 → none

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-08-05:

I thought the point of having DSR and implied roles was that this exact scenario should be allowed. Since the domain specific roles won't be in the token, this way they get roles when the implied roles are in the token? Or do i have this reversed?

Revision history for this message

Guang Yee (guang-yee) wrote on 2016-08-08:

Steve, I think you may have it in reversed. DSR should be able to imply global roles, but not the other way around.

1. DSR should only be visible within its domain.
2. Its useless to have a global rule imply a DSR as DSR does not appear in the token.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-01: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/364216

Changed in keystone:
assignee:	nobody → Mikhail Nikolaenko (mnikolaenko)
status:	Confirmed → In Progress

Steve Martinelli (stevemar) on 2016-09-05

Changed in keystone:
milestone:	none → newton-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-05: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/364216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=305cb8a9e3d147fa06de4dce5edd535b7929291c
Submitter: Jenkins
Branch: master

commit 305cb8a9e3d147fa06de4dce5edd535b7929291c
Author: Mikhail Nikolaenko <email address hidden>
Date: Thu Sep 1 10:12:45 2016 +0000

Block global roles implying domain specific roles

Adds a check, which prohibits global role imply a domain specific role.

Change-Id: Ibd478c45a3fe28b194226ad562ee198ba3eb1b7c
Closes-Bug: #1590578

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-26: Fix included in openstack/keystone 10.0.0.0rc1

This issue was fixed in the openstack/keystone 10.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.