Public bug reported: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token.
** Affects: keystone Importance: High Status: New ** Changed in: keystone Importance: Undecided => High ** Description changed: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in - all roles whether inherited or not. This means the wrong roles can end - up in the resulting Keystone token + all group roles whether inherited or not. This means the wrong roles + can end up in the resulting Keystone token. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1385533 Title: Tokens issued from a saml2 auth ignore inheritance of group roles Status in OpenStack Identity (Keystone): New Bug description: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1385533/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp