Browse Source

Allows to use application credentials through group membership

When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.

Conflicts:
    This change conflicts with newer branches because most of the
    logic in keystone/token/providers/common.py was refactored into
    keystone/models/token_model.py during the Rocky release. This
    refactor causes the stable/queens version to diverge from
    stable/rocky, stable/stein, and stable/train patches, although it
    is functionally equivalent to the approach used in later releases.

Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
(cherry picked from commit 14b25bc5d1)
(cherry picked from commit 933ea511d1)
(cherry picked from commit cf83fc1056)
changes/96/694096/1
Jose Castro Leon Lance Bragstad 11 months ago
parent
commit
578be15629
3 changed files with 51 additions and 9 deletions
  1. +32
    -0
      keystone/tests/unit/test_v3_auth.py
  2. +10
    -9
      keystone/token/providers/common.py
  3. +9
    -0
      releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml

+ 32
- 0
keystone/tests/unit/test_v3_auth.py View File

@@ -5632,6 +5632,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)

def test_application_credential_through_group_membership(self):
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)

group1 = unit.new_group_ref(domain_id=self.domain_id)
group1 = PROVIDERS.identity_api.create_group(group1)

PROVIDERS.identity_api.add_user_to_group(
user1['id'], group1['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_id, group_id=group1['id'], project_id=self.project_id
)

app_cred = {
'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'secret': uuid.uuid4().hex,
'user_id': user1['id'],
'project_id': self.project_id,
'description': uuid.uuid4().hex,
'roles': [{'id': self.role_id}]
}

app_cred_ref = self.app_cred_api.create_application_credential(
app_cred)

auth_data = self.build_authentication_request(
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
self.v3_create_token(auth_data, expected_status=http_client.CREATED)

def test_application_credential_cannot_scope(self):
app_cred = self._make_app_cred()
app_cred_ref = self.app_cred_api.create_application_credential(


+ 10
- 9
keystone/token/providers/common.py View File

@@ -195,16 +195,17 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
def _get_app_cred_roles(self, app_cred, user_id, domain_id, project_id):
roles = app_cred['roles']
token_roles = []
assignment_list = PROVIDERS.assignment_api.list_role_assignments(
user_id=user_id, project_id=project_id, domain_id=domain_id,
effective=True
)
user_roles = list(set([x['role_id'] for x in assignment_list]))

for role in roles:
try:
role_ref = PROVIDERS.assignment_api.get_grant(
role['id'], user_id=user_id, domain_id=domain_id,
project_id=project_id)
token_roles.append(role_ref)
except exception.RoleAssignmentNotFound:
pass
return [
PROVIDERS.role_api.get_role(role['id']) for role in token_roles]
if role['id'] in user_roles:
token_roles.append({'id': role['id'], 'name': role['name']})

return roles

def populate_roles_for_federated_user(self, token_data, group_ids,
project_id=None, domain_id=None,


+ 9
- 0
releasenotes/notes/bug-1773967-b59517a09e0e6141.yaml View File

@@ -0,0 +1,9 @@
---
fixes:
- |
[`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
Fixes an issue where users who had role assignments only via a group
membership and not via direct assignment could create but not use
application credentials. It is important to note that federated users who
only have role assignments via a mapped group membership still cannot
create application credentials.

Loading…
Cancel
Save