yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1458994] Re: When logged in as a pure domain admin, cannot list users in a group

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1458994@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Jun 2016 18:36:35 -0000
Reply-to: Bug 1458994 <1458994@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.openstack.org/321128
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d
Submitter: Jenkins
Branch:    master

commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d
Author: Rudolf Vriend <rudolf.vriend@xxxxxxx>
Date:   Wed May 25 18:49:47 2016 +0200

    Allow domain admins to list users in groups with v3 policy
    
    Domain admins (with a domain scoped token) could not list members of
    groups in their domain or groups of a user in their domain.
    This was due to 2 reasons: the v3 policy rule
    'identity:list_groups_for_user' was not evaluating the users domain
    and the identity controller method protections of 'list_users_in_group'
    and 'list_groups_for_user' were not providing the required targets for
    the rules.
    
    Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36
    Closes-Bug: #1433402
    Closes-Bug: #1458994


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1458994

Title:
  When logged in as a pure domain admin, cannot list users in a group

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
    u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
    u'title': u'Forbidden'}}.

  To reproduce this bug you may use the following code:

  
  import requests
  import json


  
  def get_unscoped_token(username,password,domain):
      headers = {'Content-Type': 'application/json'}
      payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def get_token_scoped_to_domain(unscoped_token,domain):
      headers = {'Content-Type': 'application/json'}
      payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def get_token_scoped_to_project(unscoped_token,project):
      headers = {'Content-Type': 'application/json'}
      payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
      r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
      return r.headers['X-Subject-Token']

  def list_domains(token):
      headers = {'Content-Type': 'application/json',
                 'Accept': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:35357/v3/domains";, headers=headers)
      return r.json()["domains"]

  
  def list_groups_for_domain(domain_id, token):
      headers = {'Content-Type': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; % domain_id , headers=headers)
      return r.json()["groups"]

  def get_domain_named(domain_name,token):
      domains = list_domains(domain_token)
      domain = next(x for x in domains if x.get("name") == domain_name)
      return domain

  def get_group_named_in_domain(group_name, domain_id,token):
      groups = list_groups_for_domain(domain_id,token)
      group = next(x for x in groups if x.get("name") == group_name)
      return group

  def get_users_in_group_in_domain(group_id, domain_id, token):
      headers = {'Content-Type': 'application/json',
                 'Accept': 'application/json',
                 'X-Auth-Token': token}
      r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; % (group_id,domain_id), headers=headers)
      return r.json()
      

  
      
  unscoped_token  = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
  domain_token = get_token_scoped_to_domain(unscoped_token,"default")
  nintendo_domain = get_domain_named("nintendo", domain_token)

  #nintendo domain operations
  unscoped_token  = get_unscoped_token("mario","pass","nintendo")
  domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")

  list_groups_for_domain(nintendo_domain.get("id"), domain_token)

  list_groups_for_domain(nintendo_domain.get("id"), domain_token)

  mygroup =
  get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
  domain_token )

  get_users_in_group_in_domain(mygroup.get("id"),
  nintendo_domain.get("id"), domain_token)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions
References

[Bug 1458994] [NEW] When logged in as a pure domain admin, cannot list users in a group
From: Michael Hagedorn, 2015-05-26