← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1503755] [NEW] Admin with project-scoped token unable to grant, check, list, revoke roles for domain group/user

 

Public bug reported:

Prerequisites:
1)Create group and user in some domain
2)Create some test role
3)Grant test role to domain group and to domain user

Steps to reproduce:
1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {"
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    },
    "scope": {
      "project": {
        "name": "project_name",
        "domain": { "id": "default" }
      }
    }
  }
}

2)Using token from step 1 (from header "X-Subject-Token") check role for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
and ​API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"

Expected result:
Admin with project-scoped should be able to check role for domain group/user

Actual result:
Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response

3)Using token from step 1 (from header "X-Subject-Token") list roles for
domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
​API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles)
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"

Expected result:
Admin with project-scoped should be able to list roles for domain group/user

Actual result:
Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
{
  "error": {
    "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
    "code": 403,
    "title": "Forbidden"
  }
}

But admin with domain-scoped token can check and list roles for domain
group/user. And can check and list roles for project group/user.


In policy.json are following:
"admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
and (project_id:%(scope.project.id)s or
domain_id:%(target.project.domain_id)s))", 
"check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  Prerequisites:
  1)Create group and user in some domain
  2)Create some test role
  3)Grant test role to domain group and to domain user
  
  Steps to reproduce:
  1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
  { "auth": {
-     "identity": {
-       "methods": ["password"],
-       "password": {
-         "user": {"
-           "name": "admin",
-           "domain": { "id": "default" },
-           "password": "adminpwd"
-         }
-       }
-     },
-     "scope": {
-       "project": {
-         "name": "project_name",
-         "domain": { "id": "default" }
-       }
-     }
-   }
+     "identity": {
+       "methods": ["password"],
+       "password": {
+         "user": {"
+           "name": "admin",
+           "domain": { "id": "default" },
+           "password": "adminpwd"
+         }
+       }
+     },
+     "scope": {
+       "project": {
+         "name": "project_name",
+         "domain": { "id": "default" }
+       }
+     }
+   }
  }
  
  2)Using token from step 1 (from header "X-Subject-Token") check role for
  domain group/user (HEAD type of request, API:
  http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  and ​API:
  http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
  with headers "Content-Type: application/json" and "X-Auth-Token:
  token_from_step_1"
  
  Expected result:
  Admin with project-scoped should be able to check role for domain group/user
  
  Actual result:
  Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response
  
  3)Using token from step 1 (from header "X-Subject-Token") list roles for
  domain group/user (HEAD type of request, API:
  http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
  ​API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles)
  with headers "Content-Type: application/json" and "X-Auth-Token:
  token_from_step_1"
  
  Expected result:
  Admin with project-scoped should be able to list roles for domain group/user
  
  Actual result:
  Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
  {
-   "error": {
-     "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
-     "code": 403,
-     "title": "Forbidden"
-   }
+   "error": {
+     "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
+     "code": 403,
+     "title": "Forbidden"
+   }
  }
  
  But admin with domain-scoped token can check and list roles for domain
  group/user. And can check and list roles for project group/user.
+ 
+ 
+ In policy.json are following:
+ "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
+ and (project_id:%(scope.project.id)s or
+ domain_id:%(target.project.domain_id)s))", 
+ "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+ "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1503755

Title:
  Admin with project-scoped token unable to grant, check, list, revoke
  roles for domain group/user

Status in Keystone:
  New

Bug description:
  Prerequisites:
  1)Create group and user in some domain
  2)Create some test role
  3)Grant test role to domain group and to domain user

  Steps to reproduce:
  1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {"
            "name": "admin",
            "domain": { "id": "default" },
            "password": "adminpwd"
          }
        }
      },
      "scope": {
        "project": {
          "name": "project_name",
          "domain": { "id": "default" }
        }
      }
    }
  }

  2)Using token from step 1 (from header "X-Subject-Token") check role
  for domain group/user (HEAD type of request, API:
  http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  and ​API:
  http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
  with headers "Content-Type: application/json" and "X-Auth-Token:
  token_from_step_1"

  Expected result:
  Admin with project-scoped should be able to check role for domain group/user

  Actual result:
  Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response

  3)Using token from step 1 (from header "X-Subject-Token") list roles
  for domain group/user (HEAD type of request, API:
  http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
  ​API:
  http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with
  headers "Content-Type: application/json" and "X-Auth-Token:
  token_from_step_1"

  Expected result:
  Admin with project-scoped should be able to list roles for domain group/user

  Actual result:
  Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
  {
    "error": {
      "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
      "code": 403,
      "title": "Forbidden"
    }
  }

  But admin with domain-scoped token can check and list roles for domain
  group/user. And can check and list roles for project group/user.

  
  In policy.json are following:
  "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
  and (project_id:%(scope.project.id)s or
  domain_id:%(target.project.domain_id)s))", 
  "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1503755/+subscriptions


Follow ups