Change is_admin_project to False by default

Our token model code will return a default of True for
is_admin_project if that attribute is not defined. The
comment next to this says this is for backwards
compatibility, but this seems inherently dangerous.

Closes-Bug: #1652012

Change-Id: I035fe570972764b9c9342d1851654634d681ac5e
This commit is contained in:
Gage Hugo 2017-02-24 12:26:41 -06:00
parent d4b4094dc7
commit dc449dfd63
3 changed files with 10 additions and 7 deletions

View File

@ -197,11 +197,7 @@ class KeystoneToken(dict):
if self.domain_scoped: if self.domain_scoped:
# Currently, domain scoped tokens cannot act as is_admin_project # Currently, domain scoped tokens cannot act as is_admin_project
return False return False
return self.get('is_admin_project', False)
# True gets returned by default for compatibility with older versions
# TODO(henry-nash): This seems inherently dangerous, and we should
# investigate how we can default this to False.
return self.get('is_admin_project', True)
@property @property
def trust_id(self): def trust_id(self):

View File

@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
self.assertTrue(token_data.scoped) self.assertTrue(token_data.scoped)
self.assertTrue(token_data.trust_scoped) self.assertTrue(token_data.trust_scoped)
# by default admin project is True for project scoped tokens # by default admin project is False for project scoped tokens
self.assertTrue(token_data.is_admin_project) self.assertFalse(token_data.is_admin_project)
self.assertEqual( self.assertEqual(
[r['id'] for r in self.v3_sample_token['token']['roles']], [r['id'] for r in self.v3_sample_token['token']['roles']],

View File

@ -0,0 +1,7 @@
---
fixes:
- |
[`bug 1652012 <https://bugs.launchpad.net/keystone/+bug/1652012>`_]
Changes the token_model to return is_admin_project False if the attribute
is not defined. Returning True for this has the potential to be dangerous
and the given reason for keeping it True is backwards compatability..