OpenStack Identity (keystone)

  1. Bug #1483382
  2. Activity log

Activity log for bug #1483382

Date Who What changed Old value New value Message
2015-08-10 19:10:21 Guang Yee bug added bug
2015-08-10 19:13:25 Guang Yee description Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as V2 APIs should not need to be domain-aware. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:9292", "id": "9216dc36806f492ead2fc58f88dfc50c", "internalURL": "http://10.0.2.15:9292", "publicURL": "http://10.0.2.15:9292", "region": "RegionOne" } ], "endpoints_links": [], "name": "glance", "type": "image" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "id": "8163d3afe8144cc0ad701d8065a80f12", "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "cinder", "type": "volume" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8773/", "id": "1ae28abbafa040ebaba1a5930cd23b96", "internalURL": "http://10.0.2.15:8773/", "publicURL": "http://10.0.2.15:8773/", "region": "RegionOne" } ], "endpoints_links": [], "name": "ec2", "type": "ec2" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "id": "359f261d83a04ab7a66c804760aed0bf", "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "novav21", "type": "computev21" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:35357/v2.0", "id": "1ced0d5e8f7943f7b821340e2a4ac273", "internalURL": "http://10.0.2.15:5000/v2.0", "publicURL": "http://10.0.2.15:5000/v2.0", "region": "RegionOne" } ], "endpoints_links": [], "name": "keystone", "type": "identity" } ], "token": { "audit_ids": [ "fSQJJ2EnSC2pgeAbiEP3Rw" ], "expires": "2015-08-10T20:03:46Z", "id": "d68f365a9bb143008bd70be89ee0791a", "issued_at": "2015-08-10T19:03:46.542447", "tenant": { "description": "", "enabled": true, "id": "413abdbfef5544e2a5f3e8ac6124dd29", "name": "foo-project" } }, "user": { "id": "cf0aa0b2d5db4d67a94d1df234c338e5", "name": "bar", "roles": [ { "name": "admin" }, { "name": "_member_" } ], "roles_links": [], "username": "bar" } } } Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 {     "access": {         "metadata": {             "is_admin": 0,             "roles": [                 "2b7f29ebd1c8453fb91e9cd7c2e1319b",                 "9fe2ff9ee4384b1894a90878d3e92bab"             ]         },         "serviceCatalog": [             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "3a92a79a21fb41379fa3e135be65eeff",                         "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "nova",                 "type": "compute"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "64338d9eb3054598bcee30443c678e2a",                         "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinderv2",                 "type": "volumev2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:9292",                         "id": "9216dc36806f492ead2fc58f88dfc50c",                         "internalURL": "http://10.0.2.15:9292",                         "publicURL": "http://10.0.2.15:9292",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "glance",                 "type": "image"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "8163d3afe8144cc0ad701d8065a80f12",                         "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinder",                 "type": "volume"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8773/",                         "id": "1ae28abbafa040ebaba1a5930cd23b96",                         "internalURL": "http://10.0.2.15:8773/",                         "publicURL": "http://10.0.2.15:8773/",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "ec2",                 "type": "ec2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "359f261d83a04ab7a66c804760aed0bf",                         "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "novav21",                 "type": "computev21"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:35357/v2.0",                         "id": "1ced0d5e8f7943f7b821340e2a4ac273",                         "internalURL": "http://10.0.2.15:5000/v2.0",                         "publicURL": "http://10.0.2.15:5000/v2.0",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "keystone",                 "type": "identity"             }         ],         "token": {             "audit_ids": [                 "fSQJJ2EnSC2pgeAbiEP3Rw"             ],             "expires": "2015-08-10T20:03:46Z",             "id": "d68f365a9bb143008bd70be89ee0791a",             "issued_at": "2015-08-10T19:03:46.542447",             "tenant": {                 "description": "",                 "enabled": true,                 "id": "413abdbfef5544e2a5f3e8ac6124dd29",                 "name": "foo-project"             }         },         "user": {             "id": "cf0aa0b2d5db4d67a94d1df234c338e5",             "name": "bar",             "roles": [                 {                     "name": "admin"                 },                 {                     "name": "_member_"                 }             ],             "roles_links": [],             "username": "bar"         }     } }
2015-08-10 19:36:31 Tristan Cacqueray bug task added ossa
2015-08-10 19:36:36 Tristan Cacqueray ossa: status New Incomplete
2015-08-10 19:38:20 Tristan Cacqueray description Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 {     "access": {         "metadata": {             "is_admin": 0,             "roles": [                 "2b7f29ebd1c8453fb91e9cd7c2e1319b",                 "9fe2ff9ee4384b1894a90878d3e92bab"             ]         },         "serviceCatalog": [             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "3a92a79a21fb41379fa3e135be65eeff",                         "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "nova",                 "type": "compute"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "64338d9eb3054598bcee30443c678e2a",                         "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinderv2",                 "type": "volumev2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:9292",                         "id": "9216dc36806f492ead2fc58f88dfc50c",                         "internalURL": "http://10.0.2.15:9292",                         "publicURL": "http://10.0.2.15:9292",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "glance",                 "type": "image"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "8163d3afe8144cc0ad701d8065a80f12",                         "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinder",                 "type": "volume"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8773/",                         "id": "1ae28abbafa040ebaba1a5930cd23b96",                         "internalURL": "http://10.0.2.15:8773/",                         "publicURL": "http://10.0.2.15:8773/",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "ec2",                 "type": "ec2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "359f261d83a04ab7a66c804760aed0bf",                         "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "novav21",                 "type": "computev21"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:35357/v2.0",                         "id": "1ced0d5e8f7943f7b821340e2a4ac273",                         "internalURL": "http://10.0.2.15:5000/v2.0",                         "publicURL": "http://10.0.2.15:5000/v2.0",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "keystone",                 "type": "identity"             }         ],         "token": {             "audit_ids": [                 "fSQJJ2EnSC2pgeAbiEP3Rw"             ],             "expires": "2015-08-10T20:03:46Z",             "id": "d68f365a9bb143008bd70be89ee0791a",             "issued_at": "2015-08-10T19:03:46.542447",             "tenant": {                 "description": "",                 "enabled": true,                 "id": "413abdbfef5544e2a5f3e8ac6124dd29",                 "name": "foo-project"             }         },         "user": {             "id": "cf0aa0b2d5db4d67a94d1df234c338e5",             "name": "bar",             "roles": [                 {                     "name": "admin"                 },                 {                     "name": "_member_"                 }             ],             "roles_links": [],             "username": "bar"         }     } } This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 {     "access": {         "metadata": {             "is_admin": 0,             "roles": [                 "2b7f29ebd1c8453fb91e9cd7c2e1319b",                 "9fe2ff9ee4384b1894a90878d3e92bab"             ]         },         "serviceCatalog": [             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "3a92a79a21fb41379fa3e135be65eeff",                         "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "nova",                 "type": "compute"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "64338d9eb3054598bcee30443c678e2a",                         "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinderv2",                 "type": "volumev2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:9292",                         "id": "9216dc36806f492ead2fc58f88dfc50c",                         "internalURL": "http://10.0.2.15:9292",                         "publicURL": "http://10.0.2.15:9292",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "glance",                 "type": "image"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "8163d3afe8144cc0ad701d8065a80f12",                         "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinder",                 "type": "volume"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8773/",                         "id": "1ae28abbafa040ebaba1a5930cd23b96",                         "internalURL": "http://10.0.2.15:8773/",                         "publicURL": "http://10.0.2.15:8773/",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "ec2",                 "type": "ec2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "359f261d83a04ab7a66c804760aed0bf",                         "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "novav21",                 "type": "computev21"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:35357/v2.0",                         "id": "1ced0d5e8f7943f7b821340e2a4ac273",                         "internalURL": "http://10.0.2.15:5000/v2.0",                         "publicURL": "http://10.0.2.15:5000/v2.0",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "keystone",                 "type": "identity"             }         ],         "token": {             "audit_ids": [                 "fSQJJ2EnSC2pgeAbiEP3Rw"             ],             "expires": "2015-08-10T20:03:46Z",             "id": "d68f365a9bb143008bd70be89ee0791a",             "issued_at": "2015-08-10T19:03:46.542447",             "tenant": {                 "description": "",                 "enabled": true,                 "id": "413abdbfef5544e2a5f3e8ac6124dd29",                 "name": "foo-project"             }         },         "user": {             "id": "cf0aa0b2d5db4d67a94d1df234c338e5",             "name": "bar",             "roles": [                 {                     "name": "admin"                 },                 {                     "name": "_member_"                 }             ],             "roles_links": [],             "username": "bar"         }     } }
2015-08-17 15:14:16 Tristan Cacqueray bug added subscriber Keystone Core security contacts
2015-08-17 15:20:43 Tristan Cacqueray information type Private Security Public Security
2015-08-19 19:02:11 Tristan Cacqueray description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 {     "access": {         "metadata": {             "is_admin": 0,             "roles": [                 "2b7f29ebd1c8453fb91e9cd7c2e1319b",                 "9fe2ff9ee4384b1894a90878d3e92bab"             ]         },         "serviceCatalog": [             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "3a92a79a21fb41379fa3e135be65eeff",                         "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "nova",                 "type": "compute"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "64338d9eb3054598bcee30443c678e2a",                         "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinderv2",                 "type": "volumev2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:9292",                         "id": "9216dc36806f492ead2fc58f88dfc50c",                         "internalURL": "http://10.0.2.15:9292",                         "publicURL": "http://10.0.2.15:9292",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "glance",                 "type": "image"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "8163d3afe8144cc0ad701d8065a80f12",                         "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinder",                 "type": "volume"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8773/",                         "id": "1ae28abbafa040ebaba1a5930cd23b96",                         "internalURL": "http://10.0.2.15:8773/",                         "publicURL": "http://10.0.2.15:8773/",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "ec2",                 "type": "ec2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "359f261d83a04ab7a66c804760aed0bf",                         "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "novav21",                 "type": "computev21"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:35357/v2.0",                         "id": "1ced0d5e8f7943f7b821340e2a4ac273",                         "internalURL": "http://10.0.2.15:5000/v2.0",                         "publicURL": "http://10.0.2.15:5000/v2.0",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "keystone",                 "type": "identity"             }         ],         "token": {             "audit_ids": [                 "fSQJJ2EnSC2pgeAbiEP3Rw"             ],             "expires": "2015-08-10T20:03:46Z",             "id": "d68f365a9bb143008bd70be89ee0791a",             "issued_at": "2015-08-10T19:03:46.542447",             "tenant": {                 "description": "",                 "enabled": true,                 "id": "413abdbfef5544e2a5f3e8ac6124dd29",                 "name": "foo-project"             }         },         "user": {             "id": "cf0aa0b2d5db4d67a94d1df234c338e5",             "name": "bar",             "roles": [                 {                     "name": "admin"                 },                 {                     "name": "_member_"                 }             ],             "roles_links": [],             "username": "bar"         }     } } Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 {     "access": {         "metadata": {             "is_admin": 0,             "roles": [                 "2b7f29ebd1c8453fb91e9cd7c2e1319b",                 "9fe2ff9ee4384b1894a90878d3e92bab"             ]         },         "serviceCatalog": [             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "3a92a79a21fb41379fa3e135be65eeff",                         "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "nova",                 "type": "compute"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "64338d9eb3054598bcee30443c678e2a",                         "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinderv2",                 "type": "volumev2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:9292",                         "id": "9216dc36806f492ead2fc58f88dfc50c",                         "internalURL": "http://10.0.2.15:9292",                         "publicURL": "http://10.0.2.15:9292",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "glance",                 "type": "image"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "8163d3afe8144cc0ad701d8065a80f12",                         "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "cinder",                 "type": "volume"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8773/",                         "id": "1ae28abbafa040ebaba1a5930cd23b96",                         "internalURL": "http://10.0.2.15:8773/",                         "publicURL": "http://10.0.2.15:8773/",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "ec2",                 "type": "ec2"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "id": "359f261d83a04ab7a66c804760aed0bf",                         "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "novav21",                 "type": "computev21"             },             {                 "endpoints": [                     {                         "adminURL": "http://10.0.2.15:35357/v2.0",                         "id": "1ced0d5e8f7943f7b821340e2a4ac273",                         "internalURL": "http://10.0.2.15:5000/v2.0",                         "publicURL": "http://10.0.2.15:5000/v2.0",                         "region": "RegionOne"                     }                 ],                 "endpoints_links": [],                 "name": "keystone",                 "type": "identity"             }         ],         "token": {             "audit_ids": [                 "fSQJJ2EnSC2pgeAbiEP3Rw"             ],             "expires": "2015-08-10T20:03:46Z",             "id": "d68f365a9bb143008bd70be89ee0791a",             "issued_at": "2015-08-10T19:03:46.542447",             "tenant": {                 "description": "",                 "enabled": true,                 "id": "413abdbfef5544e2a5f3e8ac6124dd29",                 "name": "foo-project"             }         },         "user": {             "id": "cf0aa0b2d5db4d67a94d1df234c338e5",             "name": "bar",             "roles": [                 {                     "name": "admin"                 },                 {                     "name": "_member_"                 }             ],             "roles_links": [],             "username": "bar"         }     } }
2015-08-24 12:31:44 Dolph Mathews keystone: importance Undecided High
2015-08-24 12:31:44 Dolph Mathews keystone: status New Fix Committed
2015-08-24 12:31:57 Dolph Mathews keystone: assignee Dolph Mathews (dolph)
2015-08-24 12:32:17 Dolph Mathews nominated for series keystone/kilo
2015-08-24 12:32:17 Dolph Mathews bug task added keystone/kilo
2015-08-24 12:42:40 OpenStack Infra keystone/kilo: status New In Progress
2015-08-24 12:42:40 OpenStack Infra keystone/kilo: assignee Dolph Mathews (dolph)
2015-08-24 12:52:53 Dolph Mathews keystone/kilo: importance Undecided High
2015-09-03 18:13:54 Doug Hellmann keystone: status Fix Committed Fix Released
2015-09-03 18:13:54 Doug Hellmann keystone: milestone liberty-3
2015-09-08 14:37:36 Tristan Cacqueray ossa: status Incomplete Won't Fix
2015-09-16 09:00:44 OpenStack Infra keystone/kilo: status In Progress Fix Committed
2015-10-11 14:15:51 Chuck Short keystone/kilo: milestone 2015.1.2
2015-10-13 19:18:35 Chuck Short keystone/kilo: status Fix Committed Fix Released
2015-10-15 09:57:57 Thierry Carrez keystone: milestone liberty-3 8.0.0
2016-01-21 20:26:42 Dave Walker keystone/kilo: status Fix Released Fix Committed
2016-01-21 20:26:42 Dave Walker keystone/kilo: milestone 2015.1.2 2015.1.3
2016-01-21 23:15:59 Dave Walker keystone/kilo: status Fix Committed Fix Released