yahoo-eng-team team mailing list archive

[Lance Bragstad <lbragstad@xxxxxxxxx>]

Public bug reported:

The policy that protects the identity:get_domain API (GET
/v3/domains/{domain_id}) doesn't work as expected when using project-
scoped or domain-scoped tokens.

If a user has a token scoped to a project within a domain, they should
be able to fetch that domain. If a user has a token scoped to a domain,
they should be able to call access that API for that domain. Currently,
both cases return an HTTP 403 Forbidden.

A unit test exposes the broken behavior for project-scoped tokens [0].

[0] https://review.openstack.org/#/c/605560/1

** Affects: keystone
     Importance: Medium
         Status: Triaged

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1794864

Title:
  Calling GET /v3/domains/{domain_id} with a project-scoped or domain-
  scoped token fails

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  The policy that protects the identity:get_domain API (GET
  /v3/domains/{domain_id}) doesn't work as expected when using project-
  scoped or domain-scoped tokens.

  If a user has a token scoped to a project within a domain, they should
  be able to fetch that domain. If a user has a token scoped to a
  domain, they should be able to call access that API for that domain.
  Currently, both cases return an HTTP 403 Forbidden.

  A unit test exposes the broken behavior for project-scoped tokens [0].

  [0] https://review.openstack.org/#/c/605560/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1794864/+subscriptions