Designate

Comment 0 for bug 1460187

Revision history for this message

Kim Jensen (kim-jensen2) wrote on 2015-05-29:

Uses with an unscoped project token are authorized to list and create designate domains. Based on the policy file, this shoudl not be allowed.

If a user gets a token that is not scoped to a project, that user is able to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.

For example:
POST https://KEYSTONE_ENDPOINT:35357/v2.0/tokens HTTP/1.1
Connection: close
Content-Type: application/json
Content-Length: 150

{
   "auth":{
      "passwordCredentials":{
         "username":"testUserName",
         "password":"password"
      }
   }
}

Response:
{"access": {
   "token": {
      "issued_at": "2015-05-29T19:12:41.885602",
      "expires": "2015-05-29T21:12:41Z",
      "id": "a2ce8e93ac6b43d0b0e84fd07863a8b9",
      "audit_ids": ["zus4wLUbSK6mjF6cTe_R9Q"]
   },
...

Create domain

POST https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Content-Type: application/json
Content-Length: 85

{
  "name": "test-tc21abc.org.",
  "ttl": 3600,
  "email": "<email address hidden>"
}

Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 248
Location: http://DESIGNATE_ENDPOINT:9001/v1/domains/6e1f4190-9901-488b-a9f4-489bf1030067
X-Openstack-Request-Id: req-22ee36ba-f5db-4c9f-b26c-732a39bdca85
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close

{
  "created_at": "2015-05-29T19:12:43.000000",
  "description": null,
  "email": "<email address hidden>",
  "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
  "name": "test-tc21abc.org.",
  "serial": 1432926762,
  "ttl": 3600,
  "updated_at": null
}

Get domains

GET https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9

Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-Request-Id: req-0f8cea71-05d0-43f1-954d-c2d6d014900c
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close

{
  "domains": [
    {
      "created_at": "2015-05-29T19:12:43.000000",
      "description": null,
      "email": "<email address hidden>",
      "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
      "name": "test-tc21abc.org.",
      "serial": 1432926762,
      "ttl": 3600,
      "updated_at": null
    }
  ]
}

Uses with an unscoped project token are authorized to list and create designate domains.  Based on the policy file, this shoudl not be allowed.

If a user gets a token that is not scoped to a project, that user is able  to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.

For example:
POST https://KEYSTONE_ENDPOINT:35357/v2.0/tokens HTTP/1.1
Connection: close
Content-Type: application/json
Content-Length: 150

{
   "auth":{
      "passwordCredentials":{
         "username":"testUserName",
         "password":"password"
      }
   }
}

Response:
{"access": {
   "token":    {
      "issued_at": "2015-05-29T19:12:41.885602",
      "expires": "2015-05-29T21:12:41Z",
      "id": "a2ce8e93ac6b43d0b0e84fd07863a8b9",
      "audit_ids": ["zus4wLUbSK6mjF6cTe_R9Q"]
   },
...

Create domain

POST https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Content-Type: application/json
Content-Length: 85

{
  "name": "test-tc21abc.org.",
  "ttl": 3600,
  "email": "myemail@gmail.com"
}

{
  "created_at": "2015-05-29T19:12:43.000000",
  "description": null,
  "email": "myemail@gmail.com",
  "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
  "name": "test-tc21abc.org.",
  "serial": 1432926762,
  "ttl": 3600,
  "updated_at": null
}

Get domains

GET https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9

Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-Request-Id: req-0f8cea71-05d0-43f1-954d-c2d6d014900c
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close

{
  "domains": [
    {
      "created_at": "2015-05-29T19:12:43.000000",
      "description": null,
      "email": "myemail@gmail.com",
      "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
      "name": "test-tc21abc.org.",
      "serial": 1432926762,
      "ttl": 3600,
      "updated_at": null
    }
  ]
}