← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #54498

[Bug 1324023] Re: Can't consume trusts on domains

  Thread PreviousDate PreviousThread Next 
Trusts were not designed to support domain delegation. This is not a
bug, but a request for enhancement. Please create a specification in
keystone-specs that outlines a use case for this enhancement. I would
think delegating permission to a user across an entire domain would lead
to all sorts of security issues.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1324023

Title:
  Can't consume trusts on domains

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  When trying to create a trust on a project, I always get a "forbidden"
  error. When creating a trust on a domain, the trust is created
  successfully but then I get this error when trying to use it:

  "Expecting to find id or name in project. The server could not comply
  with the request since it is either malformed or otherwise incorrect.
  The client is assumed to be in error."

  To recreate:
  1) Create a domain called dom1:
  curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/domains -d '{"domain": {"name": "dom1", "enabled": true}}'

  2) Create a user called dom1admin:
  curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1admin", "password": "dom1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  3) Give dom1admin the "admin" role on the domain:
  curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/domains/53f39ebfa9b44f4ab2543a151ac29d3f/users/09d1e1931f564952abb7a4f515a28f35/roles/d43cb0756e2848ee800bbd5d90e207d1

  4) With a token of dom1admin, create a project called dom1proj1:
   curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/projects -d '{"project": {"name": "dom1proj1", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  5) Create a user called dom1proj1admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1proj1admin", "password": "dom1proj1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  6) Grant admin rights to dom1proj1admin:
  curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/projects/8ec21ac3aa2c4d0f961ea3df6e77514a/users/308402875e10487dbf59941b20abc84c/roles/d43cb0756e2848ee800bbd5d90e207d1

  7) Repeat steps 4-6 to create dom1proj2, dom1proj2admin, and role
  granting.

  8) With a token of dom1proj1admin, create a trust to give admin rights to dom1proj2admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "project_id": "8ec21ac3aa2c4d0f961ea3df6e77514a", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "308402875e10487dbf59941b20abc84c"}}'

  You get:
  {
      "error": {
          "code": 403,
          "message": "You are not authorized to perform the requested action.",
          "title": "Forbidden"
      }
  }

  I tried different rules in the policy file but couldn't get this to
  work.

  9) With a token of dom1admin, give a trust on the domain to user dom1proj1admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "domain_id": "3e919ca95be540ffb3e132be5fc367f2", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"}}'

  Trust is created:
  {
      "trust": {
          "domain_id": "3e919ca95be540ffb3e132be5fc367f2",
          "expires_at": "2015-02-27T18:30:59.999999Z",
          "id": "6c6b7e4067d64df2acb9a9e33579fbc9",
          "impersonation": true,
          "links": {
              "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9";
          },
          "project_id": null,
          "remaining_uses": null,
          "role": [
              {
                  "name": "admin"
              }
          ],
          "roles": [],
          "roles_links": {
              "next": null,
              "previous": null,
              "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9/roles";
          },
          "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2",
          "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"
      }
  }

  10) With a token of dom1proj1admin, try to consume the trust:
  {
      "auth": {
          "identity": {
              "methods": [
                  "token"
              ],
              "token": {
                  "id": "$TOKEN2"
              }
          },
          "scope": {
              "OS-TRUST:trust": {
                  "id": "6c6b7e4067d64df2acb9a9e33579fbc9"
              }
          }
      }
  }

  You get:
  {"error": {"message": "Expecting to find id or name in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324023/+subscriptions

References

  Thread PreviousDate PreviousThread Next