yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #33138
[Bug 1458994] [NEW] When logged in as a pure domain admin, cannot list users in a group
Public bug reported:
When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code:
import requests
import json
def get_unscoped_token(username,password,domain):
headers = {'Content-Type': 'application/json'}
payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_domain(unscoped_token,domain):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_project(unscoped_token,project):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def list_domains(token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/domains", headers=headers)
return r.json()["domains"]
def list_groups_for_domain(domain_id, token):
headers = {'Content-Type': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s" % domain_id , headers=headers)
return r.json()["groups"]
def get_domain_named(domain_name,token):
domains = list_domains(domain_token)
domain = next(x for x in domains if x.get("name") == domain_name)
return domain
def get_group_named_in_domain(group_name, domain_id,token):
groups = list_groups_for_domain(domain_id,token)
group = next(x for x in groups if x.get("name") == group_name)
return group
def get_users_in_group_in_domain(group_id, domain_id, token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s" % (group_id,domain_id), headers=headers)
return r.json()
unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)
#nintendo domain operations
unscoped_token = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )
get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1458994
Title:
When logged in as a pure domain admin, cannot list users in a group
Status in OpenStack Identity (Keystone):
New
Bug description:
When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code:
import requests
import json
def get_unscoped_token(username,password,domain):
headers = {'Content-Type': 'application/json'}
payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_domain(unscoped_token,domain):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_project(unscoped_token,project):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def list_domains(token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/domains", headers=headers)
return r.json()["domains"]
def list_groups_for_domain(domain_id, token):
headers = {'Content-Type': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s" % domain_id , headers=headers)
return r.json()["groups"]
def get_domain_named(domain_name,token):
domains = list_domains(domain_token)
domain = next(x for x in domains if x.get("name") == domain_name)
return domain
def get_group_named_in_domain(group_name, domain_id,token):
groups = list_groups_for_domain(domain_id,token)
group = next(x for x in groups if x.get("name") == group_name)
return group
def get_users_in_group_in_domain(group_id, domain_id, token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s" % (group_id,domain_id), headers=headers)
return r.json()
unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)
#nintendo domain operations
unscoped_token = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
mygroup =
get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )
get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions
Follow ups
References