yahoo-eng-team team mailing list archive

[hongxiaolong <hongxiaolong.info@xxxxxxxxx>]

Public bug reported:

Delete token by owner (Logout from Horizon) as follows:

curl -i -X DELETE
http://0.0.0.0:5000/v2.0/tokens/0c9d279867564955a98767b6493e8f30 -H
"User-Agent: python-keystoneclient" -H "X-Auth-Token:
d13e923d3424485b8edae3496b9905be"

Then get a "403 Forbidden" response caused by policy "admin_required" in assert_admin() in the API named "delete_token".
 
HTTP/1.1 403 Forbidden
Date: Sun, 12 Apr 2015 13:43:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Vary: X-Auth-Token
x-openstack-request-id: req-f5097bcd-764d-4e72-8aee-0382df15bfbc
Content-Length: 186
Content-Type: application/json

{"error": {"message": "You are not authorized to perform the requested
action: identity:delete_token (Disable debug mode to suppress these
details.)", "code": 403, "title": "Forbidden"}}

Also, there will be an error message in horizon logs:

Could not delete token

The problem mainly causes by unreasonable admin role, those member users
logout out from horizon unable to delete their own tokens, resulting in
large numbers of redundancy tokens.

In fact, it should be deleted by admin and owner.

** Affects: keystone
     Importance: Undecided
     Assignee: hongxiaolong (hongxiaolong-info)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => hongxiaolong (hongxiaolong-info)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1443104

Title:
  Owners logout from Horizon are not allowed to delete token with v2
  API.

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Delete token by owner (Logout from Horizon) as follows:

  curl -i -X DELETE
  http://0.0.0.0:5000/v2.0/tokens/0c9d279867564955a98767b6493e8f30 -H
  "User-Agent: python-keystoneclient" -H "X-Auth-Token:
  d13e923d3424485b8edae3496b9905be"

  Then get a "403 Forbidden" response caused by policy "admin_required" in assert_admin() in the API named "delete_token".
   
  HTTP/1.1 403 Forbidden
  Date: Sun, 12 Apr 2015 13:43:55 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
  Vary: X-Auth-Token
  x-openstack-request-id: req-f5097bcd-764d-4e72-8aee-0382df15bfbc
  Content-Length: 186
  Content-Type: application/json

  {"error": {"message": "You are not authorized to perform the requested
  action: identity:delete_token (Disable debug mode to suppress these
  details.)", "code": 403, "title": "Forbidden"}}

  Also, there will be an error message in horizon logs:

  Could not delete token

  The problem mainly causes by unreasonable admin role, those member
  users logout out from horizon unable to delete their own tokens,
  resulting in large numbers of redundancy tokens.

  In fact, it should be deleted by admin and owner.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1443104/+subscriptions