yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #39746
[Bug 1503755] [NEW] Admin with project-scoped token unable to grant, check, list, revoke roles for domain group/user
Public bug reported:
Prerequisites:
1)Create group and user in some domain
2)Create some test role
3)Grant test role to domain group and to domain user
Steps to reproduce:
1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {"
"name": "admin",
"domain": { "id": "default" },
"password": "adminpwd"
}
}
},
"scope": {
"project": {
"name": "project_name",
"domain": { "id": "default" }
}
}
}
}
2)Using token from step 1 (from header "X-Subject-Token") check role for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
and API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to check role for domain group/user
Actual result:
Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response
3)Using token from step 1 (from header "X-Subject-Token") list roles for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles)
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to list roles for domain group/user
Actual result:
Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
{
"error": {
"message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
"code": 403,
"title": "Forbidden"
}
}
But admin with domain-scoped token can check and list roles for domain
group/user. And can check and list roles for project group/user.
In policy.json are following:
"admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
and (project_id:%(scope.project.id)s or
domain_id:%(target.project.domain_id)s))",
"check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
Prerequisites:
1)Create group and user in some domain
2)Create some test role
3)Grant test role to domain group and to domain user
Steps to reproduce:
1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
{ "auth": {
- "identity": {
- "methods": ["password"],
- "password": {
- "user": {"
- "name": "admin",
- "domain": { "id": "default" },
- "password": "adminpwd"
- }
- }
- },
- "scope": {
- "project": {
- "name": "project_name",
- "domain": { "id": "default" }
- }
- }
- }
+ "identity": {
+ "methods": ["password"],
+ "password": {
+ "user": {"
+ "name": "admin",
+ "domain": { "id": "default" },
+ "password": "adminpwd"
+ }
+ }
+ },
+ "scope": {
+ "project": {
+ "name": "project_name",
+ "domain": { "id": "default" }
+ }
+ }
+ }
}
2)Using token from step 1 (from header "X-Subject-Token") check role for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
and API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to check role for domain group/user
Actual result:
Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response
3)Using token from step 1 (from header "X-Subject-Token") list roles for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles)
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to list roles for domain group/user
Actual result:
Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
{
- "error": {
- "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
- "code": 403,
- "title": "Forbidden"
- }
+ "error": {
+ "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
+ "code": 403,
+ "title": "Forbidden"
+ }
}
But admin with domain-scoped token can check and list roles for domain
group/user. And can check and list roles for project group/user.
+
+
+ In policy.json are following:
+ "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
+ and (project_id:%(scope.project.id)s or
+ domain_id:%(target.project.domain_id)s))",
+ "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+ "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1503755
Title:
Admin with project-scoped token unable to grant, check, list, revoke
roles for domain group/user
Status in Keystone:
New
Bug description:
Prerequisites:
1)Create group and user in some domain
2)Create some test role
3)Grant test role to domain group and to domain user
Steps to reproduce:
1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {"
"name": "admin",
"domain": { "id": "default" },
"password": "adminpwd"
}
}
},
"scope": {
"project": {
"name": "project_name",
"domain": { "id": "default" }
}
}
}
}
2)Using token from step 1 (from header "X-Subject-Token") check role
for domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
and API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to check role for domain group/user
Actual result:
Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response
3)Using token from step 1 (from header "X-Subject-Token") list roles
for domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with
headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to list roles for domain group/user
Actual result:
Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
{
"error": {
"message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
"code": 403,
"title": "Forbidden"
}
}
But admin with domain-scoped token can check and list roles for domain
group/user. And can check and list roles for project group/user.
In policy.json are following:
"admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
and (project_id:%(scope.project.id)s or
domain_id:%(target.project.domain_id)s))",
"check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1503755/+subscriptions
Follow ups