2015-02-13 21:23:42 |
Brant Knudson |
description |
The sample policy doesn't allow a non-admin user to validate or revoke their own token.
Steps to recreate:
0) Start with devstack
1) Get a token for a non-admin user
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
"password": "demopwd"
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://localhost:35357/v3/auth/tokens ; echo
$ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b
2) Try to get the token using the token using v3:
$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
3) Try to validate the token using the token using v3:
$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT
3) Try to get the token using the token using v2:
$ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
4) Try to validate the token using the token using v2:
$ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT
5) Try to revoke the token using the token using v3:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
6) Try to revoke the token using the token using v2:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} |
The sample policy doesn't allow a non-admin user to validate or revoke their own token.
Steps to recreate:
0) Start with devstack
1) Get a token for a non-admin user
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
"password": "demopwd"
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://localhost:35357/v3/auth/tokens ; echo
$ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b
2) Try to get the token using the token using v3:
$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
3) Try to validate the token using the token using v3:
$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT
4) Try to get the token using the token using v2:
$ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
5) Try to validate the token using the token using v2:
$ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT
6) Try to revoke the token using the token using v3:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
7) Try to revoke the token using the token using v2:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} |
|