← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain

 

Fixed by https://review.openstack.org/#/c/208069/

** Changed in: keystone
   Importance: Undecided => High

** Changed in: keystone
       Status: New => Fix Committed

** Changed in: keystone
     Assignee: (unassigned) => Dolph Mathews (dolph)

** Also affects: keystone/kilo
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382

Title:
  Able to request a V2 token for user and project in a non-default
  domain

Status in Keystone:
  Fix Committed
Status in Keystone kilo series:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Using the latest devstack, I am able to request a V2 token for user
  and project in a non-default domain. This problematic as non-default
  domains are not suppose to be visible to V2 APIs.

  Steps to reproduce:

  1) install devstack

  2) run these commands

  gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list
  +----------------------------------+---------+---------+----------------------------------------------------------------------+
  | ID                               | Name    | Enabled | Description                                                          |
  +----------------------------------+---------+---------+----------------------------------------------------------------------+
  | 769ad7730e0c4498b628aa8dc00e831f | foo     | True    |                                                                      |
  | default                          | Default | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
  +----------------------------------+---------+---------+----------------------------------------------------------------------+
  gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f
  +----------------------------------+------+
  | ID                               | Name |
  +----------------------------------+------+
  | cf0aa0b2d5db4d67a94d1df234c338e5 | bar  |
  +----------------------------------+------+
  gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f
  +----------------------------------+-------------+
  | ID                               | Name        |
  +----------------------------------+-------------+
  | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
  +----------------------------------+-------------+
  gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100  3006  100  2854  100   152  22164   1180 --:--:-- --:--:-- --:--:-- 22472
  {
      "access": {
          "metadata": {
              "is_admin": 0,
              "roles": [
                  "2b7f29ebd1c8453fb91e9cd7c2e1319b",
                  "9fe2ff9ee4384b1894a90878d3e92bab"
              ]
          },
          "serviceCatalog": [
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "id": "3a92a79a21fb41379fa3e135be65eeff",
                          "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "nova",
                  "type": "compute"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "id": "64338d9eb3054598bcee30443c678e2a",
                          "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "cinderv2",
                  "type": "volumev2"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:9292";,
                          "id": "9216dc36806f492ead2fc58f88dfc50c",
                          "internalURL": "http://10.0.2.15:9292";,
                          "publicURL": "http://10.0.2.15:9292";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "glance",
                  "type": "image"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "id": "8163d3afe8144cc0ad701d8065a80f12",
                          "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "cinder",
                  "type": "volume"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:8773/";,
                          "id": "1ae28abbafa040ebaba1a5930cd23b96",
                          "internalURL": "http://10.0.2.15:8773/";,
                          "publicURL": "http://10.0.2.15:8773/";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "ec2",
                  "type": "ec2"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "id": "359f261d83a04ab7a66c804760aed0bf",
                          "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "novav21",
                  "type": "computev21"
              },
              {
                  "endpoints": [
                      {
                          "adminURL": "http://10.0.2.15:35357/v2.0";,
                          "id": "1ced0d5e8f7943f7b821340e2a4ac273",
                          "internalURL": "http://10.0.2.15:5000/v2.0";,
                          "publicURL": "http://10.0.2.15:5000/v2.0";,
                          "region": "RegionOne"
                      }
                  ],
                  "endpoints_links": [],
                  "name": "keystone",
                  "type": "identity"
              }
          ],
          "token": {
              "audit_ids": [
                  "fSQJJ2EnSC2pgeAbiEP3Rw"
              ],
              "expires": "2015-08-10T20:03:46Z",
              "id": "d68f365a9bb143008bd70be89ee0791a",
              "issued_at": "2015-08-10T19:03:46.542447",
              "tenant": {
                  "description": "",
                  "enabled": true,
                  "id": "413abdbfef5544e2a5f3e8ac6124dd29",
                  "name": "foo-project"
              }
          },
          "user": {
              "id": "cf0aa0b2d5db4d67a94d1df234c338e5",
              "name": "bar",
              "roles": [
                  {
                      "name": "admin"
                  },
                  {
                      "name": "_member_"
                  }
              ],
              "roles_links": [],
              "username": "bar"
          }
      }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1483382/+subscriptions