yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1264325] Re: API v3 - Unable to perform scope independant operations with unscoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <stevemar@xxxxxxxxxx>
Date: Mon, 22 Feb 2016 07:05:00 -0000
Reply-to: Bug 1264325 <1264325@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I have to agree with Adam here, unscoped tokens have a specific purpose,
to get a scoped token or to auth with a web UI.

APIs in keystone should very much be protected by a scoped request.
Unless a use-case is presented where using an unscoped token is much
easier for operators (and equally as safe), then I'm inclined to mark
this as won't fix as it does not align with the project's goal.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1264325

Title:
  API v3 - Unable to perform scope independant operations with unscoped
  token

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  When getting an unscoped token, by authenticating against Keystone
  without a scope, one should be able to perform scope independant
  operations (when allowed to do so). For instance, an administrator
  should be able to manage domains, roles and possibly users, without
  needing to specify a scope.

  Unscoped token are currently not much usefull, since they don't allow
  any such operation.

  $ curl -s -i http://localhost:5000/v3/auth/tokens \
  -H "Content-Type: application/json" \
  -d '{
      "auth": {
          "identity": {
              "methods": ["password"],
              "password": {
                  "user": {
                      "domain": {"name": "Default"},
                      "name": "admin",
                      "password": "YourPasswordHere"
                  }
              }
          }
      }
  }' | grep ^X-Subject-Token
  X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba
  $
  $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
  http://localhost:5000/v3/domains | python -m json.tool
  {
      "error": {
          "code": 403,
  	"message": "You are not authorized to perform the requested action, identity:list_domains.",
          "title": "Forbidden"
      }
  }
  $
  $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
  http://localhost:5000/v3/roles | python -m json.tool
  {
      "error": {
          "code": 403,
          "message": "You are not authorized to perform the requested action, identity:list_roles.",
          "title": "Forbidden"
      }
  }
  $
  $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
  http://localhost:5000/v3/users | python -m json.tool
  {
      "error": {
          "code": 403,
          "message": "You are not authorized to perform the requested action, identity:list_users.",
          "title": "Forbidden"
      }
  }
  $

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1264325/+subscriptions

References

[Bug 1264325] [NEW] API v3 - Unable to perform scope independant operations with unscoped token
From: Florent Flament, 2013-12-26