** Changed in: oslo.policy
Status: Fix Committed => Fix Released
** Changed in: oslo.policy
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1529721
Title:
Attempting a RoleCheck when the credentials do not contain a roles
list causes an exception
Status in OpenStack Identity (keystone):
Invalid
Status in oslo.policy:
Fix Released
Bug description:
How to reproduce this bug using keystone :
1) Retrieve an unscoped token for any valid account.
2) Using curl - invoke list_user_projects for the SAME user from step
1 using the token from step 1, and observe that this works as
expected.
3) Alter the in-use policy file by inserting "role:service or " at the
beginning of the rule for list_user_projects ...
< "identity:list_user_projects": "role:service or rule:admin_or_owner",
---
> "identity:list_user_projects": "rule:admin_or_owner",
.... Note that the addition of this 'or' clause should not be able to
logically cause any additional denials.
4) Try the identical curl command from step 2 again, and observe that
it now fails with 403 Forbidden.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1529721/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
