yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #07771
[Bug 1264325] [NEW] API v3 - Unable to perform scope independant operations with unscoped token
Public bug reported:
When getting an unscoped token, by authenticating against Keystone
without a scope, one should be able to perform scope independant
operations (when allowed to do so). For instance, an administrator
should be able to manage domains, roles and possibly users, without
needing to specify a scope.
Unscoped token are currently not much usefull, since they don't allow
any such operation.
$ curl -s -i http://localhost:5000/v3/auth/tokens \
-H "Content-Type: application/json" \
-d '{
"auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"domain": {"name": "Default"},
"name": "admin",
"password": "YourPasswordHere"
}
}
}
}
}' | grep ^X-Subject-Token
X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/domains | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_domains.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/roles | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_roles.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/users | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_users.",
"title": "Forbidden"
}
}
$
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1264325
Title:
API v3 - Unable to perform scope independant operations with unscoped
token
Status in OpenStack Identity (Keystone):
New
Bug description:
When getting an unscoped token, by authenticating against Keystone
without a scope, one should be able to perform scope independant
operations (when allowed to do so). For instance, an administrator
should be able to manage domains, roles and possibly users, without
needing to specify a scope.
Unscoped token are currently not much usefull, since they don't allow
any such operation.
$ curl -s -i http://localhost:5000/v3/auth/tokens \
-H "Content-Type: application/json" \
-d '{
"auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"domain": {"name": "Default"},
"name": "admin",
"password": "YourPasswordHere"
}
}
}
}
}' | grep ^X-Subject-Token
X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/domains | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_domains.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/roles | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_roles.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/users | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_users.",
"title": "Forbidden"
}
}
$
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1264325/+subscriptions
Follow ups
References
