GET /v3/domains returns all domains even in domain scope
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
## Summary
The `GET /v3/domains` endpoint's returned domain list is not filtered if a domain-scoped authentication is used to access it. Instead it returns all domains.
In case domain names have relations to tenants/customers, any policy model that allows tenants to list domains will expose other tenants' identities.
In contrast, endpoints like `GET /v3/projects` and `GET /v3/groups` implement proper domain scoping. For further technical analysis how those endpoints achieve this, see here: https:/
## Steps to reproduce
The following steps have been recorded using an unmodified DevStack environment.
First consider the following adjustment to `/etc/keystone/
```
identity:
```
... so that users with the `member` role may access `GET /v3/domains` for illustration purposes.
Next, create additional domains and a domain member:
```
openstack domain create domain2
openstack domain create domain3
openstack user create --domain domain2 --password "foobar123%" domain2-user
openstack role add --user domain2-user --domain domain2 member
```
Finally, create an openrc file for the domain member to have it issue a domain-scoped token:
```
source stackrc
export OS_REGION_
export OS_AUTH_URL=http://
export OS_IDENTITY_
export OS_USERNAME=
export OS_AUTH_
export OS_USER_
export OS_DOMAIN_
export OS_PASSWORD=
unset OS_PROJECT_NAME
unset OS_TENANT_NAME
unset OS_PROJECT_
unset OS_PROJECT_
unset OS_USER_DOMAIN_ID
```
(this example is based on a DevStack environment)
Now the following happens when the domain member user is accessing the domain list:
```
$ source domain-
$ openstack domain list
+------
| ID | Name | Enabled | Description |
+------
| 1a1a79337746413
| 449167ed506c43c
| default | Default | True | The default domain |
+------
```
Although the token of the domain member user making the API request is strictly domain-scoped, all domains are returned.
In case domain names would somehow be related to other tenants' identities, these would get exposed this way.
## Notes
This is not an issue with Keystone's default policy configuration since only admins may access the `GET /v3/domains` endpoint at all and those have access to all domains anyway.
Only unlocking `GET /v3/domains` for other roles will make this undesired behavior possible.
Fix proposed to branch: master /review. opendev. org/c/openstack /keystone/ +/900028
Review: https:/