Reviewed: https://review.openstack.org/596356 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6d7cfdb4ba5b8ce81d656dd22316505af6d382b8 Submitter: Zuul Branch: master
commit 6d7cfdb4ba5b8ce81d656dd22316505af6d382b8 Author: Lance Bragstad <[email protected]> Date: Fri Aug 24 13:56:37 2018 +0000 Add test case for expanding implied roles in system tokens If a user has a role assignment on the system, which implies another role assignment, the system-scoped token response should include both role assignments. This patch exposes a bug in the system-scoped token implementation where implied roles aren't expanded out before returning the token response to the user. Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e Related-Bug: 1788694 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1788694 Title: System scoped tokens don't expand role assignments Status in OpenStack Identity (keystone): Fix Released Bug description: In Rocky keystone add support for two additional roles, one called 'reader' and the other called 'member'. These are in addition to the 'admin' role that has been supported for some time. Since there is now more than one officially supported role, it was decided to imply relationships between them. The 'admin' role implies 'member' which implies 'reader'. This means users with a 'member' role assignment on a target get the 'reader' role implied. Users with the 'admin' role assignment on a target get the 'member' and 'reader' roles implied. This helps simplify assignment structure. This information should be relayed in token response bodies and appears to be the case for project-scoped tokens [0]. System scoped tokens however are lacking the expanded role assignments via implied roles in the response body [1]. To recreate: - authenticate for a project-scoped token as a user with at least the member role on a project - observe that the token response body contains both 'member' and 'reader' - authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system - observe that the token response body only contains a single role instead of all implied roles [0] http://paste.openstack.org/show/728709/ [1] http://paste.openstack.org/show/728708/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1788694/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
