yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #39663
[Bug 1503041] [NEW] Token scoped to a domain can generate token scoped to different domain
Public bug reported:
Based on Nathan's blog on Restricting the abilities of Keystone tokens
(https://blog-nkinder.rhcloud.com/?p=101) experimented with domain
scoped tokens.
Pre-req: User has admin privileges on two domains Default and
TestDomain.
Step 1: Generate unscoped token:
cat auth-unsloped.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "secretadmin"
}
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:48:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: 7b8dedc47a344378bba0c60d0d7a88fe
Vary: X-Auth-Token
x-openstack-request-id: req-e8e00db1-1875-47cf-96f8-b4504e095f78
Content-Length: 297
Content-Type: application/json
{"token": {"methods": ["password"], "expires_at":
"2015-10-05T21:48:47.009323Z", "extras": {}, "user": {"domain": {"id":
"default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580",
"name": "admin"}, "audit_ids": ["7HNaW54JQdyiRq7asZGJ8Q"], "issued_at":
"2015-10-05T20:48:47.009338Z"}}
Step 2: Generate domain scoped token, scoped to domain Default:
cat auth-token-default.json
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "7b8dedc47a344378bba0c60d0d7a88fe"
}
},
"scope": {
"domain": {
"name": "default"
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:31:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: cb4787308bbb4666aeaf2fb477a3c86f
Vary: X-Auth-Token
x-openstack-request-id: req-5a2ce99c-7ab8-4473-b641-b87d62cacedb
Content-Length: 1425
Content-Type: application/json
{"token": {"domain": {"id": "default", "name": "Default"}, "methods":
["token", "password"], "roles": [{"id":
"1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at":
"2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id":
"RegionOne", "url": "http://10.0.2.15:9311";, "region": "RegionOne",
"interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"},
{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
"RegionOne", "interface": "internal", "id":
"e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-manager", "id":
"6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints":
[{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0";,
"region": "RegionOne", "interface": "internal", "id":
"961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
"public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id":
"RegionOne", "url": "http://10.0.2.15:35357/v2.0";, "region":
"RegionOne", "interface": "admin", "id":
"aab541336f1a410492a98b536037ca44"}], "type": "identity", "id":
"957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {},
"user": {"domain": {"id": "default", "name": "Default"}, "id":
"1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids":
["VvQjBGgUQceA4DiSqk0acw", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
"2015-10-05T20:31:34.810853Z"}}
Step 3: Generate domain scoped token, scoped to TestDomain:
cat auth-token-testdomain.json
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "cb4787308bbb4666aeaf2fb477a3c86f"
}
},
"scope": {
"domain": {
"name": "TestDomain"
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:35:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: 9b84d6a8894340e393a952ae2b366051
Vary: X-Auth-Token
x-openstack-request-id: req-745a90fe-92d0-425f-ac6b-8f8719e66dba
Content-Length: 1453
Content-Type: application/json
{"token": {"domain": {"id": "b841c341125f4f46844aee7a8a8cfd80", "name":
"TestDomain"}, "methods": ["token", "password"], "roles": [{"id":
"1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at":
"2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id":
"RegionOne", "url": "http://10.0.2.15:9311";, "region": "RegionOne",
"interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"},
{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
"RegionOne", "interface": "internal", "id":
"e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-manager", "id":
"6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints":
[{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0";,
"region": "RegionOne", "interface": "internal", "id":
"961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
"public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id":
"RegionOne", "url": "http://10.0.2.15:35357/v2.0";, "region":
"RegionOne", "interface": "admin", "id":
"aab541336f1a410492a98b536037ca44"}], "type": "identity", "id":
"957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {},
"user": {"domain": {"id": "default", "name": "Default"}, "id":
"1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids":
["Ox3i-EzETI-kAj92reqfHg", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
"2015-10-05T20:35:18.093521Z"}}
This demonstrates that user can generate token scoped to a domain and
using that token, he can generate a token scoped to different domain
without explicitly providing his credentials.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1503041
Title:
Token scoped to a domain can generate token scoped to different domain
Status in Keystone:
New
Bug description:
Based on Nathan's blog on Restricting the abilities of Keystone tokens
(https://blog-nkinder.rhcloud.com/?p=101) experimented with domain
scoped tokens.
Pre-req: User has admin privileges on two domains Default and
TestDomain.
Step 1: Generate unscoped token:
cat auth-unsloped.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "secretadmin"
}
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:48:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: 7b8dedc47a344378bba0c60d0d7a88fe
Vary: X-Auth-Token
x-openstack-request-id: req-e8e00db1-1875-47cf-96f8-b4504e095f78
Content-Length: 297
Content-Type: application/json
{"token": {"methods": ["password"], "expires_at":
"2015-10-05T21:48:47.009323Z", "extras": {}, "user": {"domain": {"id":
"default", "name": "Default"}, "id":
"1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids":
["7HNaW54JQdyiRq7asZGJ8Q"], "issued_at":
"2015-10-05T20:48:47.009338Z"}}
Step 2: Generate domain scoped token, scoped to domain Default:
cat auth-token-default.json
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "7b8dedc47a344378bba0c60d0d7a88fe"
}
},
"scope": {
"domain": {
"name": "default"
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:31:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: cb4787308bbb4666aeaf2fb477a3c86f
Vary: X-Auth-Token
x-openstack-request-id: req-5a2ce99c-7ab8-4473-b641-b87d62cacedb
Content-Length: 1425
Content-Type: application/json
{"token": {"domain": {"id": "default", "name": "Default"}, "methods":
["token", "password"], "roles": [{"id":
"1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at":
"2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints":
[{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
"RegionOne", "interface": "public", "id":
"183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:9311";, "region": "RegionOne", "interface":
"internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-
manager", "id": "6fc885769eba436294f9d886cc405c74", "name":
"barbican"}, {"endpoints": [{"region_id": "RegionOne", "url":
"http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
"internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id":
"RegionOne", "url": "http://10.0.2.15:5000/v2.0";, "region":
"RegionOne", "interface": "public", "id":
"a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:35357/v2.0";, "region": "RegionOne", "interface":
"admin", "id": "aab541336f1a410492a98b536037ca44"}], "type":
"identity", "id": "957546d7177e43e7a922e132ca76cb68", "name":
"keystone"}], "extras": {}, "user": {"domain": {"id": "default",
"name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name":
"admin"}, "audit_ids": ["VvQjBGgUQceA4DiSqk0acw",
"-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
"2015-10-05T20:31:34.810853Z"}}
Step 3: Generate domain scoped token, scoped to TestDomain:
cat auth-token-testdomain.json
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "cb4787308bbb4666aeaf2fb477a3c86f"
}
},
"scope": {
"domain": {
"name": "TestDomain"
}
}
}
}
curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"
HTTP/1.1 201 Created
Date: Mon, 05 Oct 2015 20:35:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: 9b84d6a8894340e393a952ae2b366051
Vary: X-Auth-Token
x-openstack-request-id: req-745a90fe-92d0-425f-ac6b-8f8719e66dba
Content-Length: 1453
Content-Type: application/json
{"token": {"domain": {"id": "b841c341125f4f46844aee7a8a8cfd80",
"name": "TestDomain"}, "methods": ["token", "password"], "roles":
[{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}],
"expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints":
[{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
"RegionOne", "interface": "public", "id":
"183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:9311";, "region": "RegionOne", "interface":
"internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-
manager", "id": "6fc885769eba436294f9d886cc405c74", "name":
"barbican"}, {"endpoints": [{"region_id": "RegionOne", "url":
"http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
"internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id":
"RegionOne", "url": "http://10.0.2.15:5000/v2.0";, "region":
"RegionOne", "interface": "public", "id":
"a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url":
"http://10.0.2.15:35357/v2.0";, "region": "RegionOne", "interface":
"admin", "id": "aab541336f1a410492a98b536037ca44"}], "type":
"identity", "id": "957546d7177e43e7a922e132ca76cb68", "name":
"keystone"}], "extras": {}, "user": {"domain": {"id": "default",
"name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name":
"admin"}, "audit_ids": ["Ox3i-EzETI-kAj92reqfHg",
"-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
"2015-10-05T20:35:18.093521Z"}}
This demonstrates that user can generate token scoped to a domain and
using that token, he can generate a token scoped to different domain
without explicitly providing his credentials.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1503041/+subscriptions
Follow ups
