openstack
/
keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
12,680 Commits 9 Branches 40 Tags 231 MiB
Python 99.5%
Shell 0.5%
Go to file
Lance Bragstad a226a3d8be Expose bug in /role_assignments API with system-scope 
The role_assignment API supports a bunch of query parameters that
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignments?role.id={role_id}. The expected result was
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.

This caused issues in tempest because tempest goes through and cleans
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_assignments?role.id={role_id}` when deleting a role. The
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.

This commit exposes the bug using tests.

Change-Id: If93400be3c9d3fe8e266bb36c16accca93d77154
Partial-Bug: 1748970
 		2018-02-13 19:12:16 +00:00
api-ref/source Merge "Reorganize api-ref: v3-ext oauth.inc" 2018-02-08 19:47:14 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Update links in keystone 2017-09-12 15:18:13 +08:00
doc Update OBS install docs for v2 removal 2018-02-08 15:46:41 +01:00
etc Update sample configuration file for Queens 2018-02-06 21:19:35 +00:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove apache-httpd related link 2017-11-23 14:05:17 +08:00
keystone Expose bug in /role_assignments API with system-scope 2018-02-13 19:12:16 +00:00
keystone_tempest_plugin Remove the local tempest plugin 2017-06-06 11:48:37 +00:00
playbooks/legacy Use native Zuul v3 tox job 2018-01-29 06:50:03 +00:00
rally-jobs [rally] remove deprecated arg 2015-10-29 16:34:58 +02:00
releasenotes Merge "Update reno for stable/queens" 2018-02-12 18:54:22 +00:00
tools Increase MySQL max_connections for unit tests 2018-01-30 23:49:04 +01:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Migrate to stestr 2017-09-22 11:07:09 -05:00
.gitreview Add .gitreview config file for gerrit. 2011-10-24 14:48:03 -04:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Use native Zuul v3 tox job 2018-01-29 06:50:03 +00:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Update API reference link in README 2017-09-14 14:07:09 -06:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Differentiate between dpkg and rpm for libssl-dev 2017-03-31 11:27:25 -04:00
requirements.txt Updated from global requirements 2018-01-17 20:36:58 +00:00
setup.cfg Add application credential auth plugin 2018-01-27 12:00:19 +01:00
setup.py Updated from global requirements 2017-03-06 01:10:37 +00:00
test-requirements.txt Updated from global requirements 2018-01-17 20:36:58 +00:00
tox.ini Merge "Migrate functional tests to stestr" 2017-12-22 16:47:26 +00:00

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://developer.openstack.org/api-ref/identity

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.