← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #76703

[Bug 1794864] Re: Calling GET /v3/domains/{domain_id} with a project-scoped or domain-scoped token fails

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/605871
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c8f81af62cd03601fca259647991d5dd7f8d560
Submitter: Zuul
Branch:    master

commit 2c8f81af62cd03601fca259647991d5dd7f8d560
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Sep 27 21:51:12 2018 +0000

    Allow project users to retrieve domains
    
    This commit adds thorough testing to make sure users who have a role
    on a project can use project-scoped tokens to call GET
    /v3/domain/{domain_id} for the domain own their project. These users
    are not allowed to access domains that they don't have any
    authorization via project role assignments.
    
    This ensures the domains API is tested with these cases and makes the
    domains API more self-serviceable for users that are not
    administrators.
    
    Change-Id: Ifc100a7a235140fbd07cbafe80983d3c2f17a7dc
    Closes-Bug: 1794864
    Related-Bug: 968696


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1794864

Title:
  Calling GET /v3/domains/{domain_id} with a project-scoped or domain-
  scoped token fails

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The policy that protects the identity:get_domain API (GET
  /v3/domains/{domain_id}) doesn't work as expected when using project-
  scoped or domain-scoped tokens.

  If a user has a token scoped to a project within a domain, they should
  be able to fetch that domain. If a user has a token scoped to a
  domain, they should be able to call access that API for that domain.
  Currently, both cases return an HTTP 403 Forbidden.

  A unit test exposes the broken behavior for project-scoped tokens [0].

  [0] https://review.openstack.org/#/c/605560/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1794864/+subscriptions

References

  Thread PreviousDate PreviousThread Next