Revoking "admin" role from a group invalidates domain admin's token

According to your steps, you grant a group role, as you said, domain admin won't be part of this group, so the behavior is correct. If you want to domain admin still with this role, you should grant the role for user and not just for group.

When domain admin is NOT part of the group, why his token should get invalidated when he revokes a role from the group?

I am reopening this issue so that someone can have a second look at the problem?

This is either a legitimate bug, or there's an unfortunate technical limitation requiring keystone to revoke more tokens than strictly necessary in the name of performance vs security.

Here is what I've done to try and recreate this bug.

1.) Get a token scoped to the default domain with my admin user
2.) Create a new group under the default domain
3.) Create a new project under the default domain
4.) Assign the new group the admin role on the new project
5.) Confirm that the token from step 1 is still valid using the validate token API
6.) Remove the admin role from new group on the new project
7.) Confirm that the token from step 1 is still valid using the validate token API

I was able to successfully validate the token from step 1 in both steps 5 and 7.

Niranjana, is there anything different about how I've set things up or recreated the bug compared to what you have locally?

FWIW - I am using keystone as of 5f7377f5abaf46e491d9c580ec59547cd8478aa3.

Please feel free to reopen the bug if there is additional information for the report.

Lance, it was not Project role assignment but Domain role assignment to a Group. Here the updated steps with REST commands.

1.) Get a token scoped to the default domain with my admin user
2.) Create a new group under the default domain (POST /v3/groups)
3.) Assign admin role to this group on domain ( PUT /v3/domains/default/groups/{group_id}/roles/{admin_role_id} )
4.) Revoke admin role from this group ( DELETE /v3/domains/default/groups/{group_id}/roles{admin_role_id}
5.) Now token generated in Step 1 will be invalid.

When a role is revoked on a group at the domain level we are aggressive and revoke all tokens that match the domain and role. In your case, the domain and role you are revoking (default + admin) are the same ones you are using to auth! Note that this only happens with groups, and if you decided to give the group a role that you are not using, then this wouldn't happen.

I believe the intention here was for (as Dolph said in comment #4) security vs performance.

See the code here: https://github.com/openstack/keystone/blob/94e83aff172feee3874604ab1a92d4038be4965f/keystone/assignment/core.py#L380-L402

This bug doesn't seem like something that can be routinely hit in practice. I'd rather not decrease security in this specific case, since the only workaround I can think of would be to revoke tokens that match all 3 criteria (domain + group + role)

I am going to agree with stevemar here. We can match all three criteria. I'm marking this as wishlist.

I think the changes are already done. I would request the bug reporter to close it.

https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L356

Thanks

Agreed, this looks like this was fixed in https://review.openstack.org/440281 , please reopen if you disagree