← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #29647

[Bug 1433402] [NEW] list users in group unauthorised with v3 policy

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Two identity api have unauthorised issue with v3 policy. They are
list_users_in_group and list_groups_for_user:

The domain admin should have permission to call these two api, but
failed.

Repo Step:
* use v3 policy as config
1. Create domain
2. Create admin user 'userA' under domain (assign admin role to the user with domain scope)
3. Create a normal domain user 'userB' (with domain admin userA's token)
4. Create a normal domain group 'groupB'  (with domain admin userA's token)
5. Add userB a member in groupB (with domain admin userA's token)
6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized
7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1433402

Title:
  list users in group unauthorised with v3 policy

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Two identity api have unauthorised issue with v3 policy. They are
  list_users_in_group and list_groups_for_user:

  The domain admin should have permission to call these two api, but
  failed.

  Repo Step:
  * use v3 policy as config
  1. Create domain
  2. Create admin user 'userA' under domain (assign admin role to the user with domain scope)
  3. Create a normal domain user 'userB' (with domain admin userA's token)
  4. Create a normal domain group 'groupB'  (with domain admin userA's token)
  5. Add userB a member in groupB (with domain admin userA's token)
  6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized
  7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1433402/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next