OpenStack Identity (keystone)

Role assignment list for subtree is only project scoped

Bug #1844461 reported by Colleen Murphy on 2019-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Colleen Murphy	OpenStack Identity (keystone) train-rc1

Bug Description

The identity:list_role_assignment_for_subtree is limited to the 'project' scope type, but this means that system readers and domain readers can't list role assignments for the subtree of a project they would otherwise have access to. Since the project ID is specified as a query parameter and is not taken directly from the token context, it makes sense to allow system readers and domain readers to make this query.

Project members and readers should still be forbidden from getting role assignment information on their own project or its subprojects, but project admins should remain allowed to get this information.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-17: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682762

Changed in keystone:
assignee:	nobody → Colleen Murphy (krinkle)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2019-09-20

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-23: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/682762
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=05ea390c67da8056bd0cb4445f4f030d8181aaf6
Submitter: Zuul
Branch: master

commit 05ea390c67da8056bd0cb4445f4f030d8181aaf6
Author: Colleen Murphy <email address hidden>
Date: Tue Sep 17 15:47:35 2019 -0700

Allow system/domain scope for assignment tree list

    The comment regarding the scope_types setting for
    identity:list_role_assignments_for_tree was incorrect: the project ID
    for this request comes from a query parameter, not the token context,
    and therefore it makes sense to allow system users and domain users to
    call this API to get information about a project they have access to.
    This change updates the default policy for this API and adds tests for
    it.

    For project scope, the admin role is still required, as project members
    and project readers are typically not allowed rights to view the project
    hierarchy.

Change-Id: If246298092940884a7b90e47cc9ce2f30da3e9e5
Closes-bug: #1844461

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Colleen Murphy (krinkle) on 2019-09-27

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Colleen Murphy (krinkle)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.