yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46720
[Bug 1264325] Re: API v3 - Unable to perform scope independant operations with unscoped token
I have to agree with Adam here, unscoped tokens have a specific purpose,
to get a scoped token or to auth with a web UI.
APIs in keystone should very much be protected by a scoped request.
Unless a use-case is presented where using an unscoped token is much
easier for operators (and equally as safe), then I'm inclined to mark
this as won't fix as it does not align with the project's goal.
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1264325
Title:
API v3 - Unable to perform scope independant operations with unscoped
token
Status in OpenStack Identity (keystone):
Won't Fix
Bug description:
When getting an unscoped token, by authenticating against Keystone
without a scope, one should be able to perform scope independant
operations (when allowed to do so). For instance, an administrator
should be able to manage domains, roles and possibly users, without
needing to specify a scope.
Unscoped token are currently not much usefull, since they don't allow
any such operation.
$ curl -s -i http://localhost:5000/v3/auth/tokens \
-H "Content-Type: application/json" \
-d '{
"auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"domain": {"name": "Default"},
"name": "admin",
"password": "YourPasswordHere"
}
}
}
}
}' | grep ^X-Subject-Token
X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/domains | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_domains.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/roles | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_roles.",
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \
http://localhost:5000/v3/users | python -m json.tool
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:list_users.",
"title": "Forbidden"
}
}
$
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1264325/+subscriptions
References