← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #34146

[Bug 1421825] Re: Sample policy should allow user to validate and revoke own token

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => liberty-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1421825

Title:
  Sample policy should allow user to validate and revoke own token

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The sample policy doesn't allow a non-admin user to validate or revoke
  their own token.

  Steps to recreate:

  0) Start with devstack
  1) Get a token for a non-admin user

  $ curl -i   -H "Content-Type: application/json"   -d '
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "demo",
            "domain": { "id": "default" },
            "password": "demopwd"
          }
        }
      },
      "scope": {
        "project": {
          "name": "demo",
          "domain": { "id": "default" }
        }
      }
    }
  }'   http://localhost:35357/v3/auth/tokens ; echo

  $ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b

  2) Try to get the token using the token using v3:

  $ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
  {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

  3) Try to validate the token using the token using v3:

  $ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
  HTTP/1.1 403 Forbidden
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 185
  Date: Fri, 13 Feb 2015 20:00:21 GMT

  4) Try to get the token using the token using v2:

  $ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
  {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

  5) Try to validate the token using the token using v2:

  $ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
  HTTP/1.1 403 Forbidden
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 193
  Date: Fri, 13 Feb 2015 20:11:49 GMT

  6) Try to revoke the token using the token using v3:

  $ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
  {"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}

  7) Try to revoke the token using the token using v2:

  $ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
  {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1421825/+subscriptions

References

  Thread PreviousDate PreviousThread Next