OpenStack Identity (keystone)

oauth1 - consumer specifies roles instead of delegator

Bug #1216408 reported by Dolph Mathews on 2013-08-24

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Steve Martinelli	OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

From the mailing list [1]:

> How does the delegate know which role to request? This is unintuitive. A delegator (rather than delegate) knows the role he wants to delegate. One would normally expect the delegator to request Keystone to delegate this role to the named delegate, rather than the delegate asking for a role to be delegated to it, since it requires an out of band communications between the delegator and delegate to take place before the delegation, in which the delegator tells the delegate its un/pw and the role it should ask for. This seems to be a rather contrived exchange of messages.

This design fault is present in both the spec and the current implementation.

[1]: http://lists.openstack.org/pipermail/openstack-dev/2013-June/010402.html

Revision history for this message

Steve Martinelli (stevemar) wrote on 2013-08-24:

#1

But we keep the consumer requesting the project id?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-25: Fix proposed to keystone (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/43610

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-08-26:

#3

Proposed API change: https://review.openstack.org/#/c/43611/

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-08-26:

#4

@Steve: yes

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-30:

#5

Fix proposed to branch: master
Review: https://review.openstack.org/44504

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-05: Fix merged to keystone (master)

#6

Reviewed: https://review.openstack.org/43610
Committed: http://github.com/openstack/keystone/commit/3b43bca897e507f3db34c14047d48182761a4014
Submitter: Jenkins
Branch: master

commit 3b43bca897e507f3db34c14047d48182761a4014
Author: Steve Martinelli <email address hidden>
Date: Sat Aug 24 23:49:16 2013 -0500

OAuth authorizing user should propose roles to delegate

    Currently in the oauth1 extension the consumer specifies roles
    instead of delegator. This is a design fault that should be fixed
    by having the authorizing user provide a set of roles (ids)
    during the authorize request token phase.

fixes bug: #1216408

Change-Id: I13e155cf04dd478d575c8d66216d0fde08875ba2

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-09-05

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in keystone:
milestone:	havana-3 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.