Change is_admin_project to False by default
Our token model code will return a default of True for is_admin_project if that attribute is not defined. The comment next to this says this is for backwards compatibility, but this seems inherently dangerous. Closes-Bug: #1652012 Change-Id: I035fe570972764b9c9342d1851654634d681ac5e
This commit is contained in:
parent
d4b4094dc7
commit
dc449dfd63
@ -197,11 +197,7 @@ class KeystoneToken(dict):
|
|||||||
if self.domain_scoped:
|
if self.domain_scoped:
|
||||||
# Currently, domain scoped tokens cannot act as is_admin_project
|
# Currently, domain scoped tokens cannot act as is_admin_project
|
||||||
return False
|
return False
|
||||||
|
return self.get('is_admin_project', False)
|
||||||
# True gets returned by default for compatibility with older versions
|
|
||||||
# TODO(henry-nash): This seems inherently dangerous, and we should
|
|
||||||
# investigate how we can default this to False.
|
|
||||||
return self.get('is_admin_project', True)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def trust_id(self):
|
def trust_id(self):
|
||||||
|
@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
|
|||||||
self.assertTrue(token_data.scoped)
|
self.assertTrue(token_data.scoped)
|
||||||
self.assertTrue(token_data.trust_scoped)
|
self.assertTrue(token_data.trust_scoped)
|
||||||
|
|
||||||
# by default admin project is True for project scoped tokens
|
# by default admin project is False for project scoped tokens
|
||||||
self.assertTrue(token_data.is_admin_project)
|
self.assertFalse(token_data.is_admin_project)
|
||||||
|
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[r['id'] for r in self.v3_sample_token['token']['roles']],
|
[r['id'] for r in self.v3_sample_token['token']['roles']],
|
||||||
|
7
releasenotes/notes/bug-1652012-b3aea7c0d5affdb6.yaml
Normal file
7
releasenotes/notes/bug-1652012-b3aea7c0d5affdb6.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1652012 <https://bugs.launchpad.net/keystone/+bug/1652012>`_]
|
||||||
|
Changes the token_model to return is_admin_project False if the attribute
|
||||||
|
is not defined. Returning True for this has the potential to be dangerous
|
||||||
|
and the given reason for keeping it True is backwards compatability..
|
Loading…
Reference in New Issue
Block a user