yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #28484
[Bug 1421825] [NEW] Sample policy should allow user to validate and revoke own token
Public bug reported:
The sample policy doesn't allow a non-admin user to validate or revoke
their own token.
Steps to recreate:
0) Start with devstack
1) Get a token for a non-admin user
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
"password": "demopwd"
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://localhost:35357/v3/auth/tokens ; echo
$ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b
2) Try to get the token using the token using v3:
$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
3) Try to validate the token using the token using v3:
$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT
3) Try to get the token using the token using v2:
$ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
4) Try to validate the token using the token using v2:
$ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT
5) Try to revoke the token using the token using v3:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
6) Try to revoke the token using the token using v2:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
** Affects: keystone
Importance: Undecided
Assignee: Brant Knudson (blk-u)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Brant Knudson (blk-u)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1421825
Title:
Sample policy should allow user to validate and revoke own token
Status in OpenStack Identity (Keystone):
New
Bug description:
The sample policy doesn't allow a non-admin user to validate or revoke
their own token.
Steps to recreate:
0) Start with devstack
1) Get a token for a non-admin user
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
"password": "demopwd"
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://localhost:35357/v3/auth/tokens ; echo
$ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b
2) Try to get the token using the token using v3:
$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
3) Try to validate the token using the token using v3:
$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT
3) Try to get the token using the token using v2:
$ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
4) Try to validate the token using the token using v2:
$ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT
5) Try to revoke the token using the token using v3:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
6) Try to revoke the token using the token using v2:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1421825/+subscriptions
Follow ups
References
