API v3 - Unable to perform scope independant operations with unscoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
When getting an unscoped token, by authenticating against Keystone
without a scope, one should be able to perform scope independant
operations (when allowed to do so). For instance, an administrator
should be able to manage domains, roles and possibly users, without
needing to specify a scope.
Unscoped token are currently not much usefull, since they don't allow
any such operation.
$ curl -s -i http://
-H "Content-Type: application/json" \
-d '{
"auth": {
"identity": {
}
}
}
}
}' | grep ^X-Subject-Token
X-Subject-Token: b8c1cd2065ce4df
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df
http://
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df
http://
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:
"title": "Forbidden"
}
}
$
$ curl -s -H "X-Auth-Token: b8c1cd2065ce4df
http://
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action, identity:
"title": "Forbidden"
}
}
$
Changed in keystone: | |
assignee: | nobody → Henrique Truta (henrique-4) |
Changed in keystone: | |
assignee: | Henrique Truta (henrique-4) → nobody |
This is closely related to bug 968696, and would be addressed by explicitly scoping tokens to keystone per https:/ /blueprints. launchpad. net/keystone/ +spec/service- scoped- tokens