Allows to use application credentials through group membership
When using role assignment through groups, the user cannot use the application credentials created. This allows to look up the membership by checking inherited and group assignments. Conflicts: This change conflicts with newer branches because most of the logic in keystone/token/providers/common.py was refactored into keystone/models/token_model.py during the Rocky release. This refactor causes the stable/queens version to diverge from stable/rocky, stable/stein, and stable/train patches, although it is functionally equivalent to the approach used in later releases. Change-Id: If1bf5bd785a494923303265797311d42018ba7af Closes-Bug: #1773967 (cherry picked from commit14b25bc5d1
) (cherry picked from commit933ea511d1
) (cherry picked from commitcf83fc1056
)
This commit is contained in:
parent
e8b04cc426
commit
578be15629
|
@ -5632,6 +5632,38 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
|
||||||
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
|
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
|
||||||
self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)
|
self.v3_create_token(auth_data, expected_status=http_client.NOT_FOUND)
|
||||||
|
|
||||||
|
def test_application_credential_through_group_membership(self):
|
||||||
|
user1 = unit.create_user(
|
||||||
|
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||||
|
)
|
||||||
|
|
||||||
|
group1 = unit.new_group_ref(domain_id=self.domain_id)
|
||||||
|
group1 = PROVIDERS.identity_api.create_group(group1)
|
||||||
|
|
||||||
|
PROVIDERS.identity_api.add_user_to_group(
|
||||||
|
user1['id'], group1['id']
|
||||||
|
)
|
||||||
|
PROVIDERS.assignment_api.create_grant(
|
||||||
|
self.role_id, group_id=group1['id'], project_id=self.project_id
|
||||||
|
)
|
||||||
|
|
||||||
|
app_cred = {
|
||||||
|
'id': uuid.uuid4().hex,
|
||||||
|
'name': uuid.uuid4().hex,
|
||||||
|
'secret': uuid.uuid4().hex,
|
||||||
|
'user_id': user1['id'],
|
||||||
|
'project_id': self.project_id,
|
||||||
|
'description': uuid.uuid4().hex,
|
||||||
|
'roles': [{'id': self.role_id}]
|
||||||
|
}
|
||||||
|
|
||||||
|
app_cred_ref = self.app_cred_api.create_application_credential(
|
||||||
|
app_cred)
|
||||||
|
|
||||||
|
auth_data = self.build_authentication_request(
|
||||||
|
app_cred_id=app_cred_ref['id'], secret=app_cred_ref['secret'])
|
||||||
|
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||||
|
|
||||||
def test_application_credential_cannot_scope(self):
|
def test_application_credential_cannot_scope(self):
|
||||||
app_cred = self._make_app_cred()
|
app_cred = self._make_app_cred()
|
||||||
app_cred_ref = self.app_cred_api.create_application_credential(
|
app_cred_ref = self.app_cred_api.create_application_credential(
|
||||||
|
|
|
@ -195,16 +195,17 @@ class V3TokenDataHelper(provider_api.ProviderAPIMixin, object):
|
||||||
def _get_app_cred_roles(self, app_cred, user_id, domain_id, project_id):
|
def _get_app_cred_roles(self, app_cred, user_id, domain_id, project_id):
|
||||||
roles = app_cred['roles']
|
roles = app_cred['roles']
|
||||||
token_roles = []
|
token_roles = []
|
||||||
|
assignment_list = PROVIDERS.assignment_api.list_role_assignments(
|
||||||
|
user_id=user_id, project_id=project_id, domain_id=domain_id,
|
||||||
|
effective=True
|
||||||
|
)
|
||||||
|
user_roles = list(set([x['role_id'] for x in assignment_list]))
|
||||||
|
|
||||||
for role in roles:
|
for role in roles:
|
||||||
try:
|
if role['id'] in user_roles:
|
||||||
role_ref = PROVIDERS.assignment_api.get_grant(
|
token_roles.append({'id': role['id'], 'name': role['name']})
|
||||||
role['id'], user_id=user_id, domain_id=domain_id,
|
|
||||||
project_id=project_id)
|
return roles
|
||||||
token_roles.append(role_ref)
|
|
||||||
except exception.RoleAssignmentNotFound:
|
|
||||||
pass
|
|
||||||
return [
|
|
||||||
PROVIDERS.role_api.get_role(role['id']) for role in token_roles]
|
|
||||||
|
|
||||||
def populate_roles_for_federated_user(self, token_data, group_ids,
|
def populate_roles_for_federated_user(self, token_data, group_ids,
|
||||||
project_id=None, domain_id=None,
|
project_id=None, domain_id=None,
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1773967 <https://bugs.launchpad.net/keystone/+bug/1773967>`_]
|
||||||
|
Fixes an issue where users who had role assignments only via a group
|
||||||
|
membership and not via direct assignment could create but not use
|
||||||
|
application credentials. It is important to note that federated users who
|
||||||
|
only have role assignments via a mapped group membership still cannot
|
||||||
|
create application credentials.
|
Loading…
Reference in New Issue