OpenStack Identity (keystone)

  1. Bug #1421825
  2. Activity log

Activity log for bug #1421825

Date Who What changed Old value New value Message
2015-02-13 20:34:23 Brant Knudson bug added bug
2015-02-13 20:34:40 Brant Knudson keystone: assignee Brant Knudson (blk-u)
2015-02-13 21:23:42 Brant Knudson description The sample policy doesn't allow a non-admin user to validate or revoke their own token. Steps to recreate: 0) Start with devstack 1) Get a token for a non-admin user $ curl -i -H "Content-Type: application/json" -d ' { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "demo", "domain": { "id": "default" }, "password": "demopwd" } } }, "scope": { "project": { "name": "demo", "domain": { "id": "default" } } } } }' http://localhost:35357/v3/auth/tokens ; echo $ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b 2) Try to get the token using the token using v3: $ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} 3) Try to validate the token using the token using v3: $ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens HTTP/1.1 403 Forbidden Vary: X-Auth-Token Content-Type: application/json Content-Length: 185 Date: Fri, 13 Feb 2015 20:00:21 GMT 3) Try to get the token using the token using v2: $ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} 4) Try to validate the token using the token using v2: $ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN HTTP/1.1 403 Forbidden Vary: X-Auth-Token Content-Type: application/json Content-Length: 193 Date: Fri, 13 Feb 2015 20:11:49 GMT 5) Try to revoke the token using the token using v3: $ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens {"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} 6) Try to revoke the token using the token using v2: $ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} The sample policy doesn't allow a non-admin user to validate or revoke their own token. Steps to recreate: 0) Start with devstack 1) Get a token for a non-admin user $ curl -i -H "Content-Type: application/json" -d ' { "auth": {     "identity": {       "methods": ["password"],       "password": {         "user": {           "name": "demo",           "domain": { "id": "default" },           "password": "demopwd"         }       }     },     "scope": {       "project": {         "name": "demo",         "domain": { "id": "default" }       }     }   } }' http://localhost:35357/v3/auth/tokens ; echo $ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b 2) Try to get the token using the token using v3: $ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} 3) Try to validate the token using the token using v3: $ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens HTTP/1.1 403 Forbidden Vary: X-Auth-Token Content-Type: application/json Content-Length: 185 Date: Fri, 13 Feb 2015 20:00:21 GMT 4) Try to get the token using the token using v2: $ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN {"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} 5) Try to validate the token using the token using v2: $ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN HTTP/1.1 403 Forbidden Vary: X-Auth-Token Content-Type: application/json Content-Length: 193 Date: Fri, 13 Feb 2015 20:11:49 GMT 6) Try to revoke the token using the token using v3: $ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens {"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} 7) Try to revoke the token using the token using v2: $ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
2015-02-13 23:24:57 OpenStack Infra keystone: status New In Progress
2015-03-19 16:21:44 Lance Bragstad keystone: milestone kilo-rc1
2015-03-25 19:17:26 Morgan Fainberg keystone: importance Undecided Low
2015-03-25 19:17:28 Morgan Fainberg keystone: milestone kilo-rc1
2015-03-25 19:17:33 Morgan Fainberg tags kilo-rc-potential
2015-03-25 19:17:36 Morgan Fainberg keystone: importance Low Medium
2015-04-07 22:02:38 Morgan Fainberg tags kilo-rc-potential
2015-06-02 14:12:52 Chenhong Liu bug added subscriber Chenhong Liu
2015-06-09 14:40:39 OpenStack Infra keystone: status In Progress Fix Committed
2015-06-23 18:09:00 Doug Hellmann keystone: status Fix Committed Fix Released
2015-06-23 18:09:00 Doug Hellmann keystone: milestone liberty-1
2015-10-15 09:55:22 Thierry Carrez keystone: milestone liberty-1 8.0.0