Reviewed: https://review.opendev.org/700826 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2d88306621f890a857acd6831ea8bf073f55537 Submitter: Zuul Branch: master
commit c2d88306621f890a857acd6831ea8bf073f55537 Author: Colleen Murphy <[email protected]> Date: Tue Dec 31 16:22:34 2019 -0800 Fix role_assignments role.id filter Without this patch, if there are multiple role assignments on the system and they are not all the same role, querying for role assignments with /v3/role_assignments?role.id={role_id} may leak some role assignments that don't match the role_id, making the returned results incorrect. This patch fixes the issue by using a list comprehension instead of a for loop over a list that was being modified within the loop. Change-Id: Icfce3b14abb55c6fef3de1b314cee22fc8b1d08c Closes-bug: #1858012 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1858012 Title: List role assignments by role ID may leak extra system assignments outside of filter Status in OpenStack Identity (keystone): Fix Released Bug description: If there are multiple role assignments on the system and some of the assignments use different roles, it's possible for the /v3/role_assignments?role.id={role_id} query to include some system role assignments that don't match the role ID. For example: > curl -H "x-auth-token: $token" http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645 | jq . { "role_assignments": [ { "links": { "assignment": "http://192.168.122.156/identity/v3/domains/default/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"; }, "scope": { "domain": { "id": "default" } }, "user": { "id": "3cb997afc0ee40048bb7bdfa3ecac0e4" }, "role": { "id": "06918d98646d4584b4188671f1cef645" } }, { "links": { "assignment": "http://192.168.122.156/identity/v3/system/users/3cb997afc0ee40048bb7bdfa3ecac0e4/roles/06918d98646d4584b4188671f1cef645"; }, "scope": { "system": { "all": true } }, "user": { "id": "3cb997afc0ee40048bb7bdfa3ecac0e4" }, "role": { "id": "06918d98646d4584b4188671f1cef645" } }, { "links": { "assignment": "http://192.168.122.156/identity/v3/system/users/5ee04ef91dc34c2b84ea42b8ff3ef0e2/roles/eefef753f4734dd78a4ffcc574f5f506"; }, "scope": { "system": { "all": true } }, "user": { "id": "5ee04ef91dc34c2b84ea42b8ff3ef0e2" }, "role": { "id": "eefef753f4734dd78a4ffcc574f5f506" } }, { "links": { "assignment": "http://192.168.122.156/identity/v3/system/users/ac265ddf2d0449d5aed59f38904b4a8d/roles/6832b2d3d5254ffa813c0bbf5b9c73f3"; }, "scope": { "system": { "all": true } }, "user": { "id": "ac265ddf2d0449d5aed59f38904b4a8d" }, "role": { "id": "6832b2d3d5254ffa813c0bbf5b9c73f3" } } ], "links": { "next": null, "self": "http://192.168.122.156/identity/v3/role_assignments?role.id=06918d98646d4584b4188671f1cef645";, "previous": null } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1858012/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
