← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1458994] [NEW] When logged in as a pure domain admin, cannot list users in a group

 

Public bug reported:

When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
  u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
  u'title': u'Forbidden'}}.

To reproduce this bug you may use the following code:


import requests
import json


def get_unscoped_token(username,password,domain):
    headers = {'Content-Type': 'application/json'}
    payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
    r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
    return r.headers['X-Subject-Token']

def get_token_scoped_to_domain(unscoped_token,domain):
    headers = {'Content-Type': 'application/json'}
    payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
    r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
    return r.headers['X-Subject-Token']

def get_token_scoped_to_project(unscoped_token,project):
    headers = {'Content-Type': 'application/json'}
    payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
    r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
    return r.headers['X-Subject-Token']

def list_domains(token):
    headers = {'Content-Type': 'application/json',
               'Accept': 'application/json',
               'X-Auth-Token': token}
    r = requests.get("http://192.168.27.100:35357/v3/domains";, headers=headers)
    return r.json()["domains"]


def list_groups_for_domain(domain_id, token):
    headers = {'Content-Type': 'application/json',
               'X-Auth-Token': token}
    r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; % domain_id , headers=headers)
    return r.json()["groups"]

def get_domain_named(domain_name,token):
    domains = list_domains(domain_token)
    domain = next(x for x in domains if x.get("name") == domain_name)
    return domain

def get_group_named_in_domain(group_name, domain_id,token):
    groups = list_groups_for_domain(domain_id,token)
    group = next(x for x in groups if x.get("name") == group_name)
    return group

def get_users_in_group_in_domain(group_id, domain_id, token):
    headers = {'Content-Type': 'application/json',
               'Accept': 'application/json',
               'X-Auth-Token': token}
    r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; % (group_id,domain_id), headers=headers)
    return r.json()
    


    
unscoped_token  = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)

#nintendo domain operations
unscoped_token  = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")

list_groups_for_domain(nintendo_domain.get("id"), domain_token)

list_groups_for_domain(nintendo_domain.get("id"), domain_token)

mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )

get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1458994

Title:
  When logged in as a pure domain admin, cannot list users in a group

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
    u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
    u'title': u'Forbidden'}}.

  To reproduce this bug you may use the following code:

  
  import requests
  import json


  
  def get_unscoped_token(username,password,domain):
      headers = {'Content-Type': 'application/json'}
      payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def get_token_scoped_to_domain(unscoped_token,domain):
      headers = {'Content-Type': 'application/json'}
      payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def get_token_scoped_to_project(unscoped_token,project):
      headers = {'Content-Type': 'application/json'}
      payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def list_domains(token):
      headers = {'Content-Type': 'application/json',
                 'Accept': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:35357/v3/domains";, headers=headers)
      return r.json()["domains"]

  
  def list_groups_for_domain(domain_id, token):
      headers = {'Content-Type': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; % domain_id , headers=headers)
      return r.json()["groups"]

  def get_domain_named(domain_name,token):
      domains = list_domains(domain_token)
      domain = next(x for x in domains if x.get("name") == domain_name)
      return domain

  def get_group_named_in_domain(group_name, domain_id,token):
      groups = list_groups_for_domain(domain_id,token)
      group = next(x for x in groups if x.get("name") == group_name)
      return group

  def get_users_in_group_in_domain(group_id, domain_id, token):
      headers = {'Content-Type': 'application/json',
                 'Accept': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; % (group_id,domain_id), headers=headers)
      return r.json()
      

  
      
  unscoped_token  = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
  domain_token = get_token_scoped_to_domain(unscoped_token,"default")
  nintendo_domain = get_domain_named("nintendo", domain_token)

  #nintendo domain operations
  unscoped_token  = get_unscoped_token("mario","pass","nintendo")
  domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")

  list_groups_for_domain(nintendo_domain.get("id"), domain_token)

  list_groups_for_domain(nintendo_domain.get("id"), domain_token)

  mygroup =
  get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
  domain_token )

  get_users_in_group_in_domain(mygroup.get("id"),
  nintendo_domain.get("id"), domain_token)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions


Follow ups

References