yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1503041] Re: Token scoped to a domain can generate token scoped to different domain

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1503041@xxxxxxxxxxxxxxxxxx>
Date: Sun, 06 Dec 2015 04:22:02 -0000
Reply-to: Bug 1503041 <1503041@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1503041

Title:
  Token scoped to a domain can generate token scoped to different domain

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  Based on Nathan's blog on Restricting the abilities of Keystone tokens
  (https://blog-nkinder.rhcloud.com/?p=101) experimented with domain
  scoped tokens.

  Pre-req: User has admin privileges on two domains Default and
  TestDomain.

  Step 1: Generate unscoped token:

  cat auth-unsloped.json
  {
      "auth": {
          "identity": {
              "methods": [
                  "password"
              ],
              "password": {
                  "user": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "admin",
                      "password": "secretadmin"
                  }
              }
          }
      }
  }
  curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"

  HTTP/1.1 201 Created
  Date: Mon, 05 Oct 2015 20:48:46 GMT
  Server: Apache/2.4.7 (Ubuntu)
  X-Subject-Token: 7b8dedc47a344378bba0c60d0d7a88fe
  Vary: X-Auth-Token
  x-openstack-request-id: req-e8e00db1-1875-47cf-96f8-b4504e095f78
  Content-Length: 297
  Content-Type: application/json

  {"token": {"methods": ["password"], "expires_at":
  "2015-10-05T21:48:47.009323Z", "extras": {}, "user": {"domain": {"id":
  "default", "name": "Default"}, "id":
  "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids":
  ["7HNaW54JQdyiRq7asZGJ8Q"], "issued_at":
  "2015-10-05T20:48:47.009338Z"}}


  
  Step 2: Generate domain scoped token, scoped to domain Default:

  cat auth-token-default.json
  {
      "auth": {
          "identity": {
              "methods": [
                  "token"
              ],
              "token": {
                  "id": "7b8dedc47a344378bba0c60d0d7a88fe"
              }
          },
          "scope": {
              "domain": {
  	        "name": "default"
              }
          }
      }
  }
  curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"

  HTTP/1.1 201 Created
  Date: Mon, 05 Oct 2015 20:31:34 GMT
  Server: Apache/2.4.7 (Ubuntu)
  X-Subject-Token: cb4787308bbb4666aeaf2fb477a3c86f
  Vary: X-Auth-Token
  x-openstack-request-id: req-5a2ce99c-7ab8-4473-b641-b87d62cacedb
  Content-Length: 1425
  Content-Type: application/json

  {"token": {"domain": {"id": "default", "name": "Default"}, "methods":
  ["token", "password"], "roles": [{"id":
  "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at":
  "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints":
  [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
  "RegionOne", "interface": "public", "id":
  "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url":
  "http://10.0.2.15:9311";, "region": "RegionOne", "interface":
  "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-
  manager", "id": "6fc885769eba436294f9d886cc405c74", "name":
  "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url":
  "http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
  "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id":
  "RegionOne", "url": "http://10.0.2.15:5000/v2.0";, "region":
  "RegionOne", "interface": "public", "id":
  "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url":
  "http://10.0.2.15:35357/v2.0";, "region": "RegionOne", "interface":
  "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type":
  "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name":
  "keystone"}], "extras": {}, "user": {"domain": {"id": "default",
  "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name":
  "admin"}, "audit_ids": ["VvQjBGgUQceA4DiSqk0acw",
  "-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
  "2015-10-05T20:31:34.810853Z"}}


  Step 3: Generate domain scoped token, scoped to TestDomain:

  cat auth-token-testdomain.json
  {
      "auth": {
          "identity": {
              "methods": [
                  "token"
              ],
              "token": {
                  "id": "cb4787308bbb4666aeaf2fb477a3c86f"
              }
          },
          "scope": {
              "domain": {
  	        "name": "TestDomain"
              }
          }
      }
  }
  curl -i POST http://localhost:35357/v3/auth/tokens -d@xxxxxxxxxxxxxxxxxxxxxxxxxx -H "Content-Type:application/json"

  HTTP/1.1 201 Created
  Date: Mon, 05 Oct 2015 20:35:18 GMT
  Server: Apache/2.4.7 (Ubuntu)
  X-Subject-Token: 9b84d6a8894340e393a952ae2b366051
  Vary: X-Auth-Token
  x-openstack-request-id: req-745a90fe-92d0-425f-ac6b-8f8719e66dba
  Content-Length: 1453
  Content-Type: application/json

  {"token": {"domain": {"id": "b841c341125f4f46844aee7a8a8cfd80",
  "name": "TestDomain"}, "methods": ["token", "password"], "roles":
  [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}],
  "expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints":
  [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311";, "region":
  "RegionOne", "interface": "public", "id":
  "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url":
  "http://10.0.2.15:9311";, "region": "RegionOne", "interface":
  "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-
  manager", "id": "6fc885769eba436294f9d886cc405c74", "name":
  "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url":
  "http://10.0.2.15:5000/v2.0";, "region": "RegionOne", "interface":
  "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id":
  "RegionOne", "url": "http://10.0.2.15:5000/v2.0";, "region":
  "RegionOne", "interface": "public", "id":
  "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url":
  "http://10.0.2.15:35357/v2.0";, "region": "RegionOne", "interface":
  "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type":
  "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name":
  "keystone"}], "extras": {}, "user": {"domain": {"id": "default",
  "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name":
  "admin"}, "audit_ids": ["Ox3i-EzETI-kAj92reqfHg",
  "-Sv17e8CRJqhSANxJy9_-w"], "issued_at":
  "2015-10-05T20:35:18.093521Z"}}

  This demonstrates that user can generate token scoped to a domain and
  using that token, he can generate a token scoped to different domain
  without explicitly providing his credentials.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1503041/+subscriptions
References

[Bug 1503041] [NEW] Token scoped to a domain can generate token scoped to different domain
From: Priti Desai, 2015-10-05