yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1433402] Re: list users in group unauthorised with v3 policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1433402@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Jun 2016 18:36:31 -0000
Reply-to: Bug 1433402 <1433402@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/321128
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d
Submitter: Jenkins
Branch:    master

commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d
Author: Rudolf Vriend <rudolf.vriend@xxxxxxx>
Date:   Wed May 25 18:49:47 2016 +0200

    Allow domain admins to list users in groups with v3 policy
    
    Domain admins (with a domain scoped token) could not list members of
    groups in their domain or groups of a user in their domain.
    This was due to 2 reasons: the v3 policy rule
    'identity:list_groups_for_user' was not evaluating the users domain
    and the identity controller method protections of 'list_users_in_group'
    and 'list_groups_for_user' were not providing the required targets for
    the rules.
    
    Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36
    Closes-Bug: #1433402
    Closes-Bug: #1458994


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1433402

Title:
  list users in group unauthorised with v3 policy

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Two identity api have unauthorised issue with v3 policy. They are
  list_users_in_group and list_groups_for_user:

  The domain admin should have permission to call these two api, but
  failed.

  Repo Step:
  * use v3 policy as config
  1. Create domain
  2. Create admin user 'userA' under domain (assign admin role to the user with domain scope)
  3. Create a normal domain user 'userB' (with domain admin userA's token)
  4. Create a normal domain group 'groupB'  (with domain admin userA's token)
  5. Add userB a member in groupB (with domain admin userA's token)
  6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized
  7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized

  Both step 6 and step 7 use the domain token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1433402/+subscriptions

References

[Bug 1433402] [NEW] list users in group unauthorised with v3 policy
From: Yi Shi, 2015-03-18