)]}'
{"id":"openstack%2Fkeystone~738190","triplet_id":"openstack%2Fkeystone~master~Iff43e584fd57eb33d721c2d42c7b5520a5351245","project":"openstack/keystone","branch":"master","topic":"bug/1846817","hashtags":[],"change_id":"Iff43e584fd57eb33d721c2d42c7b5520a5351245","subject":"Not exposing unnecessary role assignments by v3/role_assignments","status":"ABANDONED","created":"2020-06-26 11:25:00.000000000","updated":"2022-01-21 21:00:25.000000000","total_comment_count":1,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"5024521d4f471f75a6233bdd44a05d787b49a19c","_number":738190,"virtual_id_number":738190,"owner":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"actions":{},"labels":{"Verified":{"disliked":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":-1,"date":"2020-07-02 21:06:44.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"date":"2020-07-10 14:13:10.000000000","_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":-1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},{"value":0,"date":"2020-07-07 18:12:45.000000000","permitted_voting_range":{"min":-1,"max":1},"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-1,"max":0},"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},{"date":"2020-07-02 14:41:10.000000000","_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"value":0,"date":"2020-07-02 14:40:40.000000000","permitted_voting_range":{"min":-1,"max":1},"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2020-07-02 14:40:40.000000000","updated_by":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"reviewer":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"state":"REVIEWER"},{"updated":"2020-07-02 14:41:10.000000000","updated_by":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"reviewer":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"state":"REVIEWER"},{"updated":"2020-07-02 21:06:44.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2020-07-07 18:12:45.000000000","updated_by":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"reviewer":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"state":"REVIEWER"}],"messages":[{"id":"62f2199ee606f03de594ffb9445114999fbd1044","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-06-26 11:25:00.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"3f85a0d6d17d243ff5bbe872ec2a89f28e022071","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-06-26 14:21:29.000000000","message":"Patch Set 1: Verified-1\n\n(1 comment)\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/f11d955e22ed4e26b2d901732cb69cc0 : SUCCESS in 18m 35s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/15a144fd13194414bdcea0db67732412 : SUCCESS in 23m 25s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/fbf9f397fc644645813e47b6919c37b2 : FAILURE in 5m 04s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/ad41f100a19948dda11960fa9910614a : SUCCESS in 17m 51s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/8653911138d74c5db11262bf236be8dc : SUCCESS in 16m 29s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/18c22c938ac54c45b524db066a1df61f : SUCCESS in 11m 50s\n- grenade https://zuul.opendev.org/t/openstack/build/b15dda7ef6bd4517b65d564c90659352 : SUCCESS in 1h 16m 44s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/ebbf16f7d4444465bf6ce7e3e0a636d2 : SUCCESS in 1h 28m 44s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/78e7f54ea6fe40d398cdbf393b3527af : SUCCESS in 45m 03s\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/8a398d4a8c554ea18c43427cf1f3bda7 : SUCCESS in 40m 49s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/ba22116fa0da42198c695eee8d7e30fc : SUCCESS in 39m 24s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/81cfc2cd5ebf455e9c69d886cc4de8b1 : SUCCESS in 15m 45s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/ee054976155540bbbb3dfd573c67be9a : SUCCESS in 36m 22s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/d694006cb944494c819cb8c43d204413 : SUCCESS in 55m 48s\n- keystone-tox-protection https://zuul.opendev.org/t/openstack/build/a4a8be5e895a44c7b0fd2a5551ad64ce : FAILURE in 38m 15s","accounts_in_message":[],"_revision_number":1},{"id":"6c0b0c8cca7b1b3058c422164d8312793d55856a","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-06-29 12:21:29.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"b1b412649a931d43201df663c5a9e4b484ba292d","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-06-29 13:22:50.000000000","message":"Patch Set 2: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/a48f72ae12a54810b7efe450e7d1835d : SUCCESS in 28m 10s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/0212e900b69841798b2d01a53231cf98 : SUCCESS in 12m 13s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/2bc78bc8030d4cf69b2cba23963d201c : SUCCESS in 6m 47s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/f0e3403373274ff39d669b4bb75abbfa : SUCCESS in 12m 25s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/713d0f3d59874595834e66a0c9420a30 : SUCCESS in 21m 58s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/256264ac9415412c9eef77fca3c28238 : SUCCESS in 10m 41s\n- grenade https://zuul.opendev.org/t/openstack/build/fc994086a90a406f9cf72696ce35b293 : SUCCESS in 59m 36s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/36559dbdee9a4568bbfdebefe277e75b : SUCCESS in 53m 58s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/40f10a918328442da08118bcd1432815 : SUCCESS in 33m 58s\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/6dcc419a2d3b4fd49a59ed53d2e60136 : SUCCESS in 25m 27s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/fcdeab234aaf4811ba948bf758200ce0 : SUCCESS in 33m 38s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/03db53287bb843019f08e417c4969272 : SUCCESS in 10m 54s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/7daa83275d9b446ea8c64399fbd699ee : SUCCESS in 40m 06s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/9a6c659eefaf4d3097f1c48dff3e425b : SUCCESS in 47m 51s\n- keystone-tox-protection https://zuul.opendev.org/t/openstack/build/f8c7c53344d74029b8428e4d5a5bd9b0 : FAILURE in 34m 00s","accounts_in_message":[],"_revision_number":2},{"id":"c9b82e5d43bdef80165beeb9a60a2a0cb1a54406","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-06-30 11:36:48.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"4dc54c6c1186b0418e9ea742c79036e13dd6eab3","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-06-30 11:38:20.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"103142fbe0057330bb5071ffd396bfcdd2b0dbac","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-06-30 13:02:30.000000000","message":"Patch Set 4: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/2ec62b0f637c4e51bcc473c8fedca4ad : SUCCESS in 18m 46s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/e24bb410f04c4776881ff38642fd8ea6 : SUCCESS in 15m 55s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/38f6abf63c5549d9b405a464bea7a6bb : SUCCESS in 6m 30s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/7fb0b0d71aa244ee80fa004e9b1295d3 : SUCCESS in 16m 00s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/d631508f46f14a8a87d4a88425a7ea02 : SUCCESS in 12m 26s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/936f51866288487987a0699c01a44bcc : SUCCESS in 13m 27s\n- grenade https://zuul.opendev.org/t/openstack/build/efac5be086fa43af91e5bbd9487adc7f : SUCCESS in 1h 18m 40s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/808bcb60696d441291835b92b4fee771 : SUCCESS in 1h 18m 17s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/d033ade8eec0456d8ed4ab8030be72ed : FAILURE in 6m 37s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/135c28ad66c645ba8b5030c9697e3f71 : SUCCESS in 41m 00s\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/14c2974a5fc64cc682ec21366ea69188 : SUCCESS in 35m 46s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/28b70bc9222e47e38525020609527d2d : SUCCESS in 45m 50s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/0e4368cf0b814eb4aa2de3245328319b : SUCCESS in 20m 06s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/594767e0b2c64a91b97b2dad38d8e3d2 : SUCCESS in 44m 28s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/3b9d8f32c3e04f65983ec72c9828ddd5 : SUCCESS in 1h 00m 40s\n- keystone-tox-protection https://zuul.opendev.org/t/openstack/build/ff465a9ac53540169d3d8af169ec6cae : FAILURE in 38m 55s","accounts_in_message":[],"_revision_number":4},{"id":"11f42a4f226ddfc13f0337b1bf429774ad735b0c","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-06-30 16:56:00.000000000","message":"Patch Set 4:\n\nrecheck","accounts_in_message":[],"_revision_number":4},{"id":"2ee8b3cbbb1d78ebb20e4329ee3f5912917aff95","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-06-30 19:34:49.000000000","message":"Patch Set 4:\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/4e45dde5e04a41c1aa3ff3d08289ae9f : SUCCESS in 23m 08s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/07081267f3ae4601843130bd4cbe601e : SUCCESS in 15m 39s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/66d0ebdbf9994b7aab41b5c3843e431b : SUCCESS in 8m 25s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/36cfc529e1dd4232af9107f4c59c9e32 : SUCCESS in 28m 42s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/dcb12ee5e4f14e8aba86a27b508e7128 : SUCCESS in 23m 48s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/17a2fbbc0156488b848f9db530b3af7e : SUCCESS in 13m 45s\n- grenade https://zuul.opendev.org/t/openstack/build/12a6deec30724554a4f23f6ef2cba764 : SUCCESS in 1h 02m 12s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/03073f677cf84a238ea4c9c6cb2e26c7 : SUCCESS in 1h 31m 24s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/a662aa52b68b442b99e048ab114efc8d : FAILURE in 7m 50s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/a0ba8b8f231e4ced8ee259ef62a60f7b : SUCCESS in 41m 01s\n- keystone-dsvm-py3-functional-federation-opensuse15 https://zuul.opendev.org/t/openstack/build/1d18c98fc6734bb7ba2d91bef85ce103 : SUCCESS in 36m 06s (non-voting)\n- keystone-dsvm-py3-functional-federation-opensuse15-k2k https://zuul.opendev.org/t/openstack/build/2376f8d4c7904864a51590e138723b8b : SUCCESS in 35m 20s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/1aabe47f4ab7461a89a1e1de3b313475 : SUCCESS in 18m 45s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/dc7d54f712cb4839bbc954f901f726d5 : SUCCESS in 43m 13s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/14d0f30ce1774437a3c1bbd1fda3ad53 : SUCCESS in 1h 00m 48s\n- keystone-tox-protection https://zuul.opendev.org/t/openstack/build/67ed55dd27cc4ed794d246d08c533631 : FAILURE in 46m 44s","accounts_in_message":[],"_revision_number":4},{"id":"db219e7efdb91f470887c5d7a73d2ca5a983d0e2","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-07-02 14:39:29.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"0e0a812c03091c614902d26d3c2ec07e149c8e71","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-07-02 20:10:10.000000000","message":"Patch Set 5: Code-Review-1\n\nVishakha, this is nearly the opposite of what needs to be solved in this bug.\n\nThe current situation is:\n- you add a filter like scope.system\u003dall\u0026role.id\u003da8cd98f2e98d4135b2fa83950d6171ec to the role assignments query\n- expected behavior: only role assignments that match scope.system\u003dall AND role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are returned\n- actual behavior: any role assignment that matches scope.system\u003dall OR role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are returned - that is more role assignments than is expected, and it is a security issue because in theory it exposes assignments that the user may not be allowed to see.\n\nThis has nothing to do with implied roles, and it is certainly not about *adding* assignments to the returned results, if anything it is about *reducing* the assignments returned *when this filter is applied*.","accounts_in_message":[],"_revision_number":5},{"id":"c26494d1c25cd90958c3150735307c7930e60c98","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-07-02 21:06:44.000000000","message":"Patch Set 5: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/2d63ae6a519746029e02b5591c38fb1c : SUCCESS in 29m 35s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/75b30efb22ab4e52a4eb1371f3fff13e : SUCCESS in 24m 57s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/fe4a7e25d6fb4de998396a39bbb3381e : SUCCESS in 9m 32s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/c46b6b28825e4ec4b15facb7bb182737 : SUCCESS in 21m 05s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/55018404f7d54fdf8375d6b9022c7f51 : SUCCESS in 35m 21s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c852ce813ab94814a807a87be41c9d25 : SUCCESS in 19m 42s\n- grenade https://zuul.opendev.org/t/openstack/build/2eaa92932ab94ababa5fac27898217aa : SUCCESS in 1h 13m 33s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/fe82384b9d9f4a49a0b72c13e22ead29 : SUCCESS in 1h 37m 30s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/23742df992374c55a8637fcbf56533ae : SUCCESS in 12m 04s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/846cf656b86949478f98eb6673bec295 : SUCCESS in 36m 50s\n- keystone-dsvm-py3-functional-federation-ubuntu-focal https://zuul.opendev.org/t/openstack/build/0425df2871c34cbd916c87a4e91b7c41 : SUCCESS in 40m 07s (non-voting)\n- keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k https://zuul.opendev.org/t/openstack/build/06602393af944e1384512af78af83f89 : SUCCESS in 40m 17s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/7ff652aef9ca409ebdca9e668fd9bd72 : SUCCESS in 19m 25s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/875ded7d91214578838508210fe446f9 : SUCCESS in 42m 24s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/9e27c9a31e1a45758ca52c64192d1545 : SUCCESS in 57m 45s\n- keystone-tox-protection https://zuul.opendev.org/t/openstack/build/f31fd829f2a84651bc432ae782477282 : FAILURE in 46m 37s","accounts_in_message":[],"_revision_number":5},{"id":"64099e4918d8d2f3d3154fc42a567cdd88b782b3","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-07-03 13:29:03.000000000","message":"Patch Set 5:\n\n\u003e Vishakha, this is nearly the opposite of what needs to be solved in\n \u003e this bug.\n \u003e \n \u003e The current situation is:\n \u003e - you add a filter like scope.system\u003dall\u0026role.id\u003da8cd98f2e98d4135b2fa83950d6171ec\n \u003e to the role assignments query\n \u003e - expected behavior: only role assignments that match\n \u003e scope.system\u003dall AND role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are\n \u003e returned\n \u003e - actual behavior: any role assignment that matches\n \u003e scope.system\u003dall OR role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are\n \u003e returned - that is more role assignments than is expected, and it\n \u003e is a security issue because in theory it exposes assignments that\n \u003e the user may not be allowed to see.\n \u003e \n \u003e This has nothing to do with implied roles, and it is certainly not\n \u003e about *adding* assignments to the returned results, if anything it\n \u003e is about *reducing* the assignments returned *when this filter is\n \u003e applied*.\n\nHi Colleen. Thanks for the comment. I understood the above part but as per the bug description in paragraph \"If I ask keystone......it only has reader\" it seems like it is expecting to list all the roles having a \"member\" role. Please correct me If I misunderstood and then I can update accordingly.","accounts_in_message":[],"_revision_number":5},{"id":"f7b1f6cd645b90c971066409b94f2de60e7a724f","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-07-06 19:21:10.000000000","message":"Patch Set 5:\n\n\u003e \u003e Vishakha, this is nearly the opposite of what needs to be solved\n \u003e in\n \u003e \u003e this bug.\n \u003e \u003e\n \u003e \u003e The current situation is:\n \u003e \u003e - you add a filter like scope.system\u003dall\u0026role.id\u003da8cd98f2e98d4135b2fa83950d6171ec\n \u003e \u003e to the role assignments query\n \u003e \u003e - expected behavior: only role assignments that match\n \u003e \u003e scope.system\u003dall AND role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are\n \u003e \u003e returned\n \u003e \u003e - actual behavior: any role assignment that matches\n \u003e \u003e scope.system\u003dall OR role.id\u003da8cd98f2e98d4135b2fa83950d6171ec are\n \u003e \u003e returned - that is more role assignments than is expected, and it\n \u003e \u003e is a security issue because in theory it exposes assignments that\n \u003e \u003e the user may not be allowed to see.\n \u003e \u003e\n \u003e \u003e This has nothing to do with implied roles, and it is certainly\n \u003e not\n \u003e \u003e about *adding* assignments to the returned results, if anything\n \u003e it\n \u003e \u003e is about *reducing* the assignments returned *when this filter is\n \u003e \u003e applied*.\n \u003e \n \u003e Hi Colleen. Thanks for the comment. I understood the above part but\n \u003e as per the bug description in paragraph \"If I ask keystone......it\n \u003e only has reader\" it seems like it is expecting to list all the\n \u003e roles having a \"member\" role. Please correct me If I misunderstood\n \u003e and then I can update accordingly.\n\nThe \"it\" in \"it only has reader\" refers to the group \"system-admins\" in the example, which does not have the \"member\" role assignment, so it is wrong to include it in the filtered list.","accounts_in_message":[],"_revision_number":5},{"id":"f8b25ad32df40c34c11d0669cc47cdc2a950ed7f","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-07-07 15:34:36.000000000","message":"Patch Set 5:\n\n\u003e \u003e \u003e Vishakha, this is nearly the opposite of what needs to be\n \u003e solved\n \u003e \u003e in\n \u003e \u003e \u003e this bug.\n \u003e \u003e \u003e\n \u003e \u003e \u003e The current situation is:\n \u003e \u003e \u003e - you add a filter like scope.system\u003dall\u0026role.id\u003da8cd98f2e98d4135b2fa83950d6171ec\n \u003e \u003e \u003e to the role assignments query\n \u003e \u003e \u003e - expected behavior: only role assignments that match\n \u003e \u003e \u003e scope.system\u003dall AND role.id\u003da8cd98f2e98d4135b2fa83950d6171ec\n \u003e are\n \u003e \u003e \u003e returned\n \u003e \u003e \u003e - actual behavior: any role assignment that matches\n \u003e \u003e \u003e scope.system\u003dall OR role.id\u003da8cd98f2e98d4135b2fa83950d6171ec\n \u003e are\n \u003e \u003e \u003e returned - that is more role assignments than is expected, and\n \u003e it\n \u003e \u003e \u003e is a security issue because in theory it exposes assignments\n \u003e that\n \u003e \u003e \u003e the user may not be allowed to see.\n \u003e \u003e \u003e\n \u003e \u003e \u003e This has nothing to do with implied roles, and it is certainly\n \u003e \u003e not\n \u003e \u003e \u003e about *adding* assignments to the returned results, if anything\n \u003e \u003e it\n \u003e \u003e \u003e is about *reducing* the assignments returned *when this filter\n \u003e is\n \u003e \u003e \u003e applied*.\n \u003e \u003e\n \u003e \u003e Hi Colleen. Thanks for the comment. I understood the above part\n \u003e but\n \u003e \u003e as per the bug description in paragraph \"If I ask\n \u003e keystone......it\n \u003e \u003e only has reader\" it seems like it is expecting to list all the\n \u003e \u003e roles having a \"member\" role. Please correct me If I\n \u003e misunderstood\n \u003e \u003e and then I can update accordingly.\n \u003e \n \u003e The \"it\" in \"it only has reader\" refers to the group\n \u003e \"system-admins\" in the example, which does not have the \"member\"\n \u003e role assignment, so it is wrong to include it in the filtered list.\n\nHi Colleen. I applied my patch and got the following output with no \u0027reader\u0027 in it [1]. I am still confused about the expected output. \"openstack role assignment list --system all --role member\" in [1] isn\u0027t showing the expected output?\n\n[1]http://paste.openstack.org/show/795625/","accounts_in_message":[],"_revision_number":5},{"id":"d4852374e8db16747dc027acfbc1fa29f082f1c6","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-07-07 17:17:11.000000000","message":"Patch Set 5: -Code-Review\n\n\u003e \n \u003e Hi Colleen. I applied my patch and got the following output with no\n \u003e \u0027reader\u0027 in it [1]. I am still confused about the expected output.\n \u003e \"openstack role assignment list --system all --role member\" in [1]\n \u003e isn\u0027t showing the expected output?\n \u003e \n \u003e [1]http://paste.openstack.org/show/795625/\n\nThat looks like the correct output, reader should not be there. So maybe I misunderstood your commit message and release note. I will have a closer look.","accounts_in_message":[],"_revision_number":5},{"id":"bfb020a47ac95447f205b880b34084fe191ac577","author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"date":"2020-07-07 18:12:45.000000000","message":"Patch Set 5:\n\nHere is what I get without any patches applied: http://paste.openstack.org/show/795641/\n\nSo, it seems like the original problem, which is that the \u0027system_reader\u0027 user would have been incorrectly included in that output, has gone away already. There is an unexpected difference which is that \u0027admin\u0027 and \u0027system_admin\u0027 are not included. That\u0027s not the intent of this bug. I\u0027m not sure when or why the implied roles stopped being included with this filter or if changing that is related to the original problem that Lance reported.","accounts_in_message":[],"_revision_number":5},{"id":"bbe7d211668fc21d7d3a0bd2d94fb5133aa03baa","author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"date":"2020-07-10 14:13:10.000000000","message":"Patch Set 5:\n\n\u003e Here is what I get without any patches applied: http://paste.openstack.org/show/795641/\n \u003e \n \u003e So, it seems like the original problem, which is that the\n \u003e \u0027system_reader\u0027 user would have been incorrectly included in that\n \u003e output, has gone away already. There is an unexpected difference\n \u003e which is that \u0027admin\u0027 and \u0027system_admin\u0027 are not included. That\u0027s\n \u003e not the intent of this bug. I\u0027m not sure when or why the implied\n \u003e roles stopped being included with this filter or if changing that\n \u003e is related to the original problem that Lance reported.\n\nI looked in to history of change in file keystone/assignment/core.py after the bug was reported, and there was this single change [1], due to which only those role assignments are listed which matches to the filter role. Also when looking into the original code [2], it doesn\u0027t seems like implied roles were taken into consideration. After testing [2], I got the output [3], in which admin is missing. \n\nI am also not sure of how all the three roles are listed in the bug when doing\n$ openstack role assignment list --names --system all --role member \nSince I am getting different output.\n\n[1]https://review.opendev.org/#/c/700826\n[2]https://review.opendev.org/#/c/544012/5/keystone/assignment/core.py\n[3]http://paste.openstack.org/show/795761/","accounts_in_message":[],"_revision_number":5},{"id":"5024521d4f471f75a6233bdd44a05d787b49a19c","tag":"autogenerated:gerrit:abandon","author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"date":"2022-01-21 21:00:25.000000000","message":"Abandoned\n\nAbandoning since there hasn\u0027t been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.","accounts_in_message":[],"_revision_number":5}],"current_revision_number":5,"current_revision":"8fab9542d0a7717b6264c5d11045abcad722956b","revisions":{"bc773ce544ba1b002f5011c610867f936c3441cf":{"kind":"REWORK","_number":1,"created":"2020-06-26 11:25:00.000000000","uploader":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"ref":"refs/changes/90/738190/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/90/738190/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/90/738190/1"}}},"commit":{"parents":[{"commit":"e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4","subject":"Merge \"New config option \u0027user_limit\u0027 in credentials\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4"}]}],"author":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"committer":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"subject":"[WIP] Not exposing unnecessary role assignments by v3/role_assignments","message":"[WIP] Not exposing unnecessary role assignments by v3/role_assignments\n\nChange-Id: Iff43e584fd57eb33d721c2d42c7b5520a5351245\nCloses-Bug: #1846817\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/bc773ce544ba1b002f5011c610867f936c3441cf"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/bc773ce544ba1b002f5011c610867f936c3441cf"}]},"branch":"refs/heads/master"},"98e14da81d0770573701c9a58177faf0d83f1099":{"kind":"REWORK","_number":2,"created":"2020-06-29 12:21:29.000000000","uploader":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"ref":"refs/changes/90/738190/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/90/738190/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/90/738190/2"}}},"commit":{"parents":[{"commit":"e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4","subject":"Merge \"New config option \u0027user_limit\u0027 in credentials\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4"}]}],"author":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"committer":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-29 12:21:23.000000000","tz":330},"subject":"[WIP] Not exposing unnecessary role assignments by v3/role_assignments","message":"[WIP] Not exposing unnecessary role assignments by v3/role_assignments\n\nChange-Id: Iff43e584fd57eb33d721c2d42c7b5520a5351245\nCloses-Bug: #1846817\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/98e14da81d0770573701c9a58177faf0d83f1099"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/98e14da81d0770573701c9a58177faf0d83f1099"}]},"branch":"refs/heads/master"},"16d2b8d0e7e2e38a7bd6a53fa8abff8aaa766907":{"kind":"REWORK","_number":3,"created":"2020-06-30 11:36:48.000000000","uploader":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"ref":"refs/changes/90/738190/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/90/738190/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/90/738190/3"}}},"commit":{"parents":[{"commit":"e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4","subject":"Merge \"New config option \u0027user_limit\u0027 in credentials\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4"}]}],"author":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"committer":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-30 11:33:48.000000000","tz":330},"subject":"Not exposing unnecessary role assignments by v3/role_assignments","message":"Not exposing unnecessary role assignments by v3/role_assignments\n\nAs per the implied role, admin is implied to have member as well\nas reader role. Thus for reader role for system user, keystone\nshould list the admin, member, role assignments for the user too.\nSame for member role for system user, the admin role assignments\nshould also be listed.\n\nThis fixes the filtering of list of system role assignments if\nrole_id is passed for system user.\n\nChange-Id: Iff43e584fd57eb33d721c2d42c7b5520a5351245\nCloses-Bug: #1846817\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/16d2b8d0e7e2e38a7bd6a53fa8abff8aaa766907"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/16d2b8d0e7e2e38a7bd6a53fa8abff8aaa766907"}]},"branch":"refs/heads/master"},"3d9b157497ea9e82a03c8cfe68fa0555e8fcef5f":{"kind":"REWORK","_number":4,"created":"2020-06-30 11:38:20.000000000","uploader":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"ref":"refs/changes/90/738190/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/90/738190/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/90/738190/4"}}},"commit":{"parents":[{"commit":"e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4","subject":"Merge \"New config option \u0027user_limit\u0027 in credentials\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4"}]}],"author":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"committer":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-30 11:37:48.000000000","tz":330},"subject":"Not exposing unnecessary role assignments by v3/role_assignments","message":"Not exposing unnecessary role assignments by v3/role_assignments\n\nAs per the implied role, admin is implied to have member as well\nas reader role. Thus for reader role for system user, keystone\nshould list the admin, member, role assignments for the user too.\nSame for member role for system user, the admin role assignments\nshould also be listed.\n\nThis fixes the filtering of list of system role assignments if\nrole_id is passed for system user.\n\nChange-Id: Iff43e584fd57eb33d721c2d42c7b5520a5351245\nCloses-Bug: #1846817\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/3d9b157497ea9e82a03c8cfe68fa0555e8fcef5f"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/3d9b157497ea9e82a03c8cfe68fa0555e8fcef5f"}]},"branch":"refs/heads/master"},"8fab9542d0a7717b6264c5d11045abcad722956b":{"kind":"REWORK","_number":5,"created":"2020-07-02 14:39:29.000000000","uploader":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"ref":"refs/changes/90/738190/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/90/738190/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/90/738190/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/90/738190/5"}}},"commit":{"parents":[{"commit":"e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4","subject":"Merge \"New config option \u0027user_limit\u0027 in credentials\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/e3bd1d747d2002a5cbd3b56cce6e95c83c22abe4"}]}],"author":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-06-26 11:21:52.000000000","tz":330},"committer":{"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","date":"2020-07-02 14:38:56.000000000","tz":330},"subject":"Not exposing unnecessary role assignments by v3/role_assignments","message":"Not exposing unnecessary role assignments by v3/role_assignments\n\nAs per the implied role, admin is implied to have member as well\nas reader role. Thus for reader role for system user, keystone\nshould list the admin, member, role assignments for the user too.\nSame for member role for system user, the admin role assignments\nshould also be listed.\n\nThis fixes the filtering of list of system role assignments if\nrole_id is passed for system user.\n\nChange-Id: Iff43e584fd57eb33d721c2d42c7b5520a5351245\nCloses-Bug: #1846817\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8fab9542d0a7717b6264c5d11045abcad722956b"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8fab9542d0a7717b6264c5d11045abcad722956b"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}