yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37168
[Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
Fixed by https://review.openstack.org/#/c/208069/
** Changed in: keystone
Importance: Undecided => High
** Changed in: keystone
Status: New => Fix Committed
** Changed in: keystone
Assignee: (unassigned) => Dolph Mathews (dolph)
** Also affects: keystone/kilo
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in Keystone:
Fix Committed
Status in Keystone kilo series:
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True | |
| default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+---------+---------+----------------------------------------------------------------------+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f
+----------------------------------+------+
| ID | Name |
+----------------------------------+------+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+----------------------------------+------+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+----------------------------------+-------------+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:9292";,
"id": "9216dc36806f492ead2fc58f88dfc50c",
"internalURL": "http://10.0.2.15:9292";,
"publicURL": "http://10.0.2.15:9292";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "glance",
"type": "image"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
"id": "8163d3afe8144cc0ad701d8065a80f12",
"internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
"publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinder",
"type": "volume"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:8773/";,
"id": "1ae28abbafa040ebaba1a5930cd23b96",
"internalURL": "http://10.0.2.15:8773/";,
"publicURL": "http://10.0.2.15:8773/";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "ec2",
"type": "ec2"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
"id": "359f261d83a04ab7a66c804760aed0bf",
"internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
"publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "novav21",
"type": "computev21"
},
{
"endpoints": [
{
"adminURL": "http://10.0.2.15:35357/v2.0";,
"id": "1ced0d5e8f7943f7b821340e2a4ac273",
"internalURL": "http://10.0.2.15:5000/v2.0";,
"publicURL": "http://10.0.2.15:5000/v2.0";,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "keystone",
"type": "identity"
}
],
"token": {
"audit_ids": [
"fSQJJ2EnSC2pgeAbiEP3Rw"
],
"expires": "2015-08-10T20:03:46Z",
"id": "d68f365a9bb143008bd70be89ee0791a",
"issued_at": "2015-08-10T19:03:46.542447",
"tenant": {
"description": "",
"enabled": true,
"id": "413abdbfef5544e2a5f3e8ac6124dd29",
"name": "foo-project"
}
},
"user": {
"id": "cf0aa0b2d5db4d67a94d1df234c338e5",
"name": "bar",
"roles": [
{
"name": "admin"
},
{
"name": "_member_"
}
],
"roles_links": [],
"username": "bar"
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1483382/+subscriptions
