[Bug 1773967] Re: Application credentials can't be used with group-only role assignments

OpenStack Infra 1773967 at bugs.launchpad.net
Thu Nov 14 17:04:55 UTC 2019 

Reviewed:  https://review.opendev.org/694096
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=578be15629a84d1edcfda546a93b7ccbb6959720
Submitter: Zuul
Branch:    stable/queens

commit 578be15629a84d1edcfda546a93b7ccbb6959720
Author: Jose Castro Leon <jose.castro.leon at cern.ch>
Date:   Tue Apr 23 15:38:16 2019 +0200

    Allows to use application credentials through group membership
    
    When using role assignment through groups, the user cannot use
    the application credentials created. This allows to look up
    the membership by checking inherited and group assignments.
    
    Conflicts:
        This change conflicts with newer branches because most of the
        logic in keystone/token/providers/common.py was refactored into
        keystone/models/token_model.py during the Rocky release. This
        refactor causes the stable/queens version to diverge from
        stable/rocky, stable/stein, and stable/train patches, although it
        is functionally equivalent to the approach used in later releases.
    
    Change-Id: If1bf5bd785a494923303265797311d42018ba7af
    Closes-Bug: #1773967
    (cherry picked from commit 14b25bc5d18842210cfffe1afdca475e848b84aa)
    (cherry picked from commit 933ea511d150ed2cbbd4265fc7513a9b3435baa2)
    (cherry picked from commit cf83fc10569e7b52eeb52c0e164dfe36daeec309)


** Tags added: in-stable-queens

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1773967

Title:
  Application credentials can't be used with group-only role assignments

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Identity (keystone):
  Fix Released
Status in keystone package in Ubuntu:
  Confirmed

Bug description:
  If a user only has a role assignment on a project via a group
  membership, the user can create an application credential for the
  project but it cannot be used. If someone tries to use it, the debug
  logs will report:

   User <uuid> has no access to project <uuid>

  We need to ensure that any application credential that is created can
  be used so long as it is not expired and the user exists and has
  access to the project they created the application credential for. If
  we decide that application credentials should not be valid for users
  who have no explicit role assignments on projects, then we should
  prevent it from being created and provide a useful message to the
  user.

  This is probably related to
  https://bugs.launchpad.net/keystone/+bug/1589993

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1773967/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list