Mirantis OpenStack

User 'admin' loses its permissions in current tenant after removing 'admin' role for itself in another tenant

Bug #1386696 reported by Timur Sufiev
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Medium
MOS Keystone
Mirantis OpenStack 8.0
6.0.x
Won't Fix
Medium
Paul Karikh
Mirantis OpenStack 6.0-updates
6.1.x
Won't Fix
Medium
MOS Keystone
Mirantis OpenStack 6.1
7.0.x
Fix Released
Medium
Rodion Tikunov
Mirantis OpenStack 7.0-mu-3
8.0.x
Fix Released
Medium
MOS Keystone
Mirantis OpenStack 8.0

Bug Description

Test step:
1: admin login
2:create a new project named p_admin_1
3:give admin member and admin role to this new project
4:remove the admin role for this project

test result:

Error: Unauthorized: Failed to modify 1 project members and update project quotas.
Error: Unauthorized: Unable to retrieve project list.

Upstream bug: https://bugs.launchpad.net/horizon/+bug/1326668

Timur Sufiev (tsufiev-x)
Changed in mos:
status: New → Confirmed
tags: added: horizon
Changed in mos:
assignee: nobody → MOS Horizon (mos-horizon)
importance: Undecided → Medium
Dmitry Mescheryakov (dmitrymex)
Changed in mos:
milestone: none → 6.0
Timur Sufiev (tsufiev-x)
Changed in mos:
assignee: MOS Horizon (mos-horizon) → Paul Karikh (pkarikh)
Paul Karikh (pkarikh)
Changed in mos:
status: Confirmed → In Progress
Alexander Rubtsov (arubtsov)
tags: added: customer-found
Revision history for this message
Paul Karikh (pkarikh) wrote :

Seems like problem related to the fact that Keystone invalidates every token for a user after changing its roles within one tenant.
Related MOS Keystone bug: https://bugs.launchpad.net/mos/+bug/1393732.

Paul Karikh (pkarikh)
Changed in mos:
status: In Progress → Triaged
Timur Sufiev (tsufiev-x)
Changed in mos:
milestone: 6.0 → 6.0.1
Dmitry Mescheryakov (dmitrymex)
Changed in mos:
status: Triaged → Won't Fix
Revision history for this message
Paul Karikh (pkarikh) wrote :

Since keystone invalidates every token for a User after changing it's roles within one tenant, this bug should be fixed in keystone.
Here is theMOS Keystone bug for it: https://bugs.launchpad.net/mos/+bug/1393732
Here is the upstream fix from Alexander Makarov (on review at this moment): https://review.openstack.org/#/c/141854/

Timur Sufiev (tsufiev-x)
tags: added: keystone
removed: horizon
Revision history for this message
Alexander Makarov (amakarov) wrote :

The root case of the problem is wrong implementation of revocation mecanism.
This issue is to be resolved in L cycle - community postponed the fix: https://review.openstack.org/#/c/141854/

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

The issue is not targeted to 6.1 because it requires thorough fix and it is rather improbable that it will be finished in 6.1 timeframe.

Revision history for this message
Alexander Makarov (amakarov) wrote :

Unfortunately it's a trade-off accepted by Community: in order to avoid revocation by user, which is too heavy

Revision history for this message
Alexander Makarov (amakarov) wrote :

To be more specific: I'm about token revocations

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Looks like https://review.openstack.org/#/c/141854/ landed in master on the first week of July

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Back port on upstream is here - https://review.openstack.org/#/c/216354/

Revision history for this message
Boris Bobrov (bbobrov) wrote :

I am not sure whether we should backport it, so I'm assigning MOS Maintenance team so that they could decide. The link to the patch is posted above on 2015-08-26.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/keystone (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Alexander Makarov <email address hidden>
Review: https://review.fuel-infra.org/16788

Timur Nurlygayanov (tnurlygayanov)
tags: added: on-verification
Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Verified on MOS 8.0 #569,

Steps To Verify:
1. Login to Horizon dashboard as admin user
2. Create a new project 'test'
3. Give admin member and admin role to this new project
4. Save the project
5. Remove the admin role for this project
6. Check different tabs in Horizon and verify that user have admin access and can see another projects / users and VMs in different tenanats.

tags: removed: on-verification
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystone (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/16788
Submitter: Denis V. Meltsaykin <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: 6df500d47e898a0744475122b6c80b069432c1f1
Author: Alexander Makarov <email address hidden>
Date: Tue Feb 9 13:17:56 2016

Group role revocation invalidates all user tokens

Keystone invalidates every token for a user after revoking one group role
within one project.

This patch replaces 'invalidate user's everything' logic with revocation by
grant via notifications for delete_grant assignment operation.

Change-Id: If9d0fefe43da96ba5e6b6ffc809b9f15e8d732f7
Closes-Bug: 1386696
(cherry picked from commit 369d08d1c6f1c30abb09440b3ed06e7e5266b1ec)

Vitaly Sedelnik (vsedelnik)
tags: added: wontfix-risky
Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 7.0 mu3 updates.

Steps To Verify:
As described above.

tags: added: ontfix-risky
removed: on-verification wontfix-risky
Timur Sufiev (tsufiev-x)
tags: added: wontfix-risky
removed: ontfix-risky
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.