2015-06-01 16:15:37 |
Kim Jensen |
description |
Uses with an unscoped project token are authorized to list and create designate domains. Based on the policy file, this shoudl not be allowed.
If a user gets a token that is not scoped to a project, that user is able to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.
For example:
POST https://KEYSTONE_ENDPOINT:35357/v2.0/tokens HTTP/1.1
Connection: close
Content-Type: application/json
Content-Length: 150
{
"auth":{
"passwordCredentials":{
"username":"testUserName",
"password":"password"
}
}
}
Response:
{"access": {
"token": {
"issued_at": "2015-05-29T19:12:41.885602",
"expires": "2015-05-29T21:12:41Z",
"id": "a2ce8e93ac6b43d0b0e84fd07863a8b9",
"audit_ids": ["zus4wLUbSK6mjF6cTe_R9Q"]
},
...
Create domain
POST https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Content-Type: application/json
Content-Length: 85
{
"name": "test-tc21abc.org.",
"ttl": 3600,
"email": "myemail@gmail.com"
}
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 248
Location: http://DESIGNATE_ENDPOINT:9001/v1/domains/6e1f4190-9901-488b-a9f4-489bf1030067
X-Openstack-Request-Id: req-22ee36ba-f5db-4c9f-b26c-732a39bdca85
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"created_at": "2015-05-29T19:12:43.000000",
"description": null,
"email": "myemail@gmail.com",
"id": "6e1f4190-9901-488b-a9f4-489bf1030067",
"name": "test-tc21abc.org.",
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
Get domains
GET https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-Request-Id: req-0f8cea71-05d0-43f1-954d-c2d6d014900c
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"domains": [
{
"created_at": "2015-05-29T19:12:43.000000",
"description": null,
"email": "myemail@gmail.com",
"id": "6e1f4190-9901-488b-a9f4-489bf1030067",
"name": "test-tc21abc.org.",
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
]
} |
Users with an unscoped project token are authorized to list and create designate domains. Based on the policy file, this shoudl not be allowed.
If a user gets a token that is not scoped to a project, that user is able to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.
For example:
POST https://KEYSTONE_ENDPOINT:35357/v2.0/tokens HTTP/1.1
Connection: close
Content-Type: application/json
Content-Length: 150
{
"auth":{
"passwordCredentials":{
"username":"testUserName",
"password":"password"
}
}
}
Response:
{"access": {
"token": {
"issued_at": "2015-05-29T19:12:41.885602",
"expires": "2015-05-29T21:12:41Z",
"id": "a2ce8e93ac6b43d0b0e84fd07863a8b9",
"audit_ids": ["zus4wLUbSK6mjF6cTe_R9Q"]
},
...
Create domain
POST https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Content-Type: application/json
Content-Length: 85
{
"name": "test-tc21abc.org.",
"ttl": 3600,
"email": "myemail@gmail.com"
}
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 248
Location: http://DESIGNATE_ENDPOINT:9001/v1/domains/6e1f4190-9901-488b-a9f4-489bf1030067
X-Openstack-Request-Id: req-22ee36ba-f5db-4c9f-b26c-732a39bdca85
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"created_at": "2015-05-29T19:12:43.000000",
"description": null,
"email": "myemail@gmail.com",
"id": "6e1f4190-9901-488b-a9f4-489bf1030067",
"name": "test-tc21abc.org.",
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
Get domains
GET https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-Request-Id: req-0f8cea71-05d0-43f1-954d-c2d6d014900c
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"domains": [
{
"created_at": "2015-05-29T19:12:43.000000",
"description": null,
"email": "myemail@gmail.com",
"id": "6e1f4190-9901-488b-a9f4-489bf1030067",
"name": "test-tc21abc.org.",
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
]
} |
|