yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40302
[Bug 1503755] Re: Admin with project-scoped token unable to grant, check, list, revoke roles for domain group/user
Given Dolph's commen I'm marking this bug as invalid. Feel free to
reopen if you still think there is a bug.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1503755
Title:
Admin with project-scoped token unable to grant, check, list, revoke
roles for domain group/user
Status in Keystone:
Invalid
Bug description:
Prerequisites:
1)Create group and user in some domain
2)Create some test role
3)Grant test role to domain group and to domain user
Steps to reproduce:
1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {"
"name": "admin",
"domain": { "id": "default" },
"password": "adminpwd"
}
}
},
"scope": {
"project": {
"name": "project_name",
"domain": { "id": "default" }
}
}
}
}
2)Using token from step 1 (from header "X-Subject-Token") check role
for domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
and API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id})
with headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to check role for domain group/user
Actual result:
Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response
3)Using token from step 1 (from header "X-Subject-Token") list roles
for domain group/user (HEAD type of request, API:
http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and
API:
http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with
headers "Content-Type: application/json" and "X-Auth-Token:
token_from_step_1"
Expected result:
Admin with project-scoped should be able to list roles for domain group/user
Actual result:
Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response:
{
"error": {
"message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)",
"code": 403,
"title": "Forbidden"
}
}
But admin with domain-scoped token can check and list roles for domain
group/user. And can check and list roles for project group/user.
The same for grant and revoke roles for/from domain group/user.
In policy.json are following:
"admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required
and (project_id:%(scope.project.id)s or
domain_id:%(target.project.domain_id)s))",
"create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1503755/+subscriptions
References
