yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #51870
[Bug 1458994] Re: When logged in as a pure domain admin, cannot list users in a group
Reviewed: https://review.openstack.org/321128
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d
Submitter: Jenkins
Branch: master
commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d
Author: Rudolf Vriend <rudolf.vriend@xxxxxxx>
Date: Wed May 25 18:49:47 2016 +0200
Allow domain admins to list users in groups with v3 policy
Domain admins (with a domain scoped token) could not list members of
groups in their domain or groups of a user in their domain.
This was due to 2 reasons: the v3 policy rule
'identity:list_groups_for_user' was not evaluating the users domain
and the identity controller method protections of 'list_users_in_group'
and 'list_groups_for_user' were not providing the required targets for
the rules.
Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36
Closes-Bug: #1433402
Closes-Bug: #1458994
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1458994
Title:
When logged in as a pure domain admin, cannot list users in a group
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403,
u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)',
u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code:
import requests
import json
def get_unscoped_token(username,password,domain):
headers = {'Content-Type': 'application/json'}
payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_domain(unscoped_token,domain):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_project(unscoped_token,project):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def list_domains(token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/domains", headers=headers)
return r.json()["domains"]
def list_groups_for_domain(domain_id, token):
headers = {'Content-Type': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s" % domain_id , headers=headers)
return r.json()["groups"]
def get_domain_named(domain_name,token):
domains = list_domains(domain_token)
domain = next(x for x in domains if x.get("name") == domain_name)
return domain
def get_group_named_in_domain(group_name, domain_id,token):
groups = list_groups_for_domain(domain_id,token)
group = next(x for x in groups if x.get("name") == group_name)
return group
def get_users_in_group_in_domain(group_id, domain_id, token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s" % (group_id,domain_id), headers=headers)
return r.json()
unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)
#nintendo domain operations
unscoped_token = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
mygroup =
get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )
get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions
References