← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #93027

[Bug 2041611] [NEW] GET /v3/domains returns all domains even in domain scope

  Thread PreviousDate PreviousThread Next 
Public bug reported:

## Summary

The `GET /v3/domains` endpoint's returned domain list is not filtered if a domain-scoped authentication is used to access it. Instead it returns all domains.
In case domain names have relations to tenants/customers, any policy model that allows tenants to list domains will expose other tenants' identities.

In contrast, endpoints like `GET /v3/projects` and `GET /v3/groups`
implement proper domain scoping. For further technical analysis how
those endpoints achieve this, see here:
https://github.com/SovereignCloudStack/issues/issues/446#issuecomment-1775095749

## Steps to reproduce

The following steps have been recorded using an unmodified DevStack
environment.

First consider the following adjustment to `/etc/keystone/policy.yaml`:

```
identity:list_domains: role:member or rule:admin_required
```

... so that users with the `member` role may access `GET /v3/domains`
for illustration purposes.

Next, create additional domains and a domain member:

```
openstack domain create domain2
openstack domain create domain3
openstack user create --domain domain2 --password "foobar123%" domain2-user
openstack role add --user domain2-user --domain domain2 member
```

Finally, create an openrc file for the domain member to have it issue a
domain-scoped token:

```
source stackrc
export OS_REGION_NAME=RegionOne
export OS_AUTH_URL=http://$HOST_IP/identity
export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=domain2-user
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=domain2
export OS_DOMAIN_NAME=domain2
export OS_PASSWORD=foobar123%
unset OS_PROJECT_NAME  
unset OS_TENANT_NAME
unset OS_PROJECT_DOMAIN_NAME
unset OS_PROJECT_DOMAIN_ID
unset OS_USER_DOMAIN_ID
```

(this example is based on a DevStack environment)

Now the following happens when the domain member user is accessing the
domain list:

```
$ source domain-member.openrc

$ openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| 1a1a793377464131a2744e27fec9bcdf | domain2 | True    |                    |
| 449167ed506c43cea43b997a1f345606 | domain3 | True    |                    |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+
```

Although the token of the domain member user making the API request is strictly domain-scoped, all domains are returned.
In case domain names would somehow be related to other tenants' identities, these would get exposed this way.

## Notes

This is not an issue with Keystone's default policy configuration since
only admins may access the `GET /v3/domains` endpoint at all and those
have access to all domains anyway.

Only unlocking `GET /v3/domains` for other roles will make this
undesired behavior possible.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2041611

Title:
  GET /v3/domains returns all domains even in domain scope

Status in OpenStack Identity (keystone):
  New

Bug description:
  ## Summary

  The `GET /v3/domains` endpoint's returned domain list is not filtered if a domain-scoped authentication is used to access it. Instead it returns all domains.
  In case domain names have relations to tenants/customers, any policy model that allows tenants to list domains will expose other tenants' identities.

  In contrast, endpoints like `GET /v3/projects` and `GET /v3/groups`
  implement proper domain scoping. For further technical analysis how
  those endpoints achieve this, see here:
  https://github.com/SovereignCloudStack/issues/issues/446#issuecomment-1775095749

  ## Steps to reproduce

  The following steps have been recorded using an unmodified DevStack
  environment.

  First consider the following adjustment to
  `/etc/keystone/policy.yaml`:

  ```
  identity:list_domains: role:member or rule:admin_required
  ```

  ... so that users with the `member` role may access `GET /v3/domains`
  for illustration purposes.

  Next, create additional domains and a domain member:

  ```
  openstack domain create domain2
  openstack domain create domain3
  openstack user create --domain domain2 --password "foobar123%" domain2-user
  openstack role add --user domain2-user --domain domain2 member
  ```

  Finally, create an openrc file for the domain member to have it issue
  a domain-scoped token:

  ```
  source stackrc
  export OS_REGION_NAME=RegionOne
  export OS_AUTH_URL=http://$HOST_IP/identity
  export OS_IDENTITY_API_VERSION=3
  export OS_USERNAME=domain2-user
  export OS_AUTH_TYPE=password
  export OS_USER_DOMAIN_NAME=domain2
  export OS_DOMAIN_NAME=domain2
  export OS_PASSWORD=foobar123%
  unset OS_PROJECT_NAME  
  unset OS_TENANT_NAME
  unset OS_PROJECT_DOMAIN_NAME
  unset OS_PROJECT_DOMAIN_ID
  unset OS_USER_DOMAIN_ID
  ```

  (this example is based on a DevStack environment)

  Now the following happens when the domain member user is accessing the
  domain list:

  ```
  $ source domain-member.openrc

  $ openstack domain list
  +----------------------------------+---------+---------+--------------------+
  | ID                               | Name    | Enabled | Description        |
  +----------------------------------+---------+---------+--------------------+
  | 1a1a793377464131a2744e27fec9bcdf | domain2 | True    |                    |
  | 449167ed506c43cea43b997a1f345606 | domain3 | True    |                    |
  | default                          | Default | True    | The default domain |
  +----------------------------------+---------+---------+--------------------+
  ```

  Although the token of the domain member user making the API request is strictly domain-scoped, all domains are returned.
  In case domain names would somehow be related to other tenants' identities, these would get exposed this way.

  ## Notes

  This is not an issue with Keystone's default policy configuration
  since only admins may access the `GET /v3/domains` endpoint at all and
  those have access to all domains anyway.

  Only unlocking `GET /v3/domains` for other roles will make this
  undesired behavior possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2041611/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next