Calling GET /v3/domains/{domain_id} with a project-scoped or domain-scoped token fails

Bug #1794864 reported by Lance Bragstad on 2018-09-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

The policy that protects the identity:get_domain API (GET /v3/domains/{domain_id}) doesn't work as expected when using project-scoped or domain-scoped tokens.

If a user has a token scoped to a project within a domain, they should be able to fetch that domain. If a user has a token scoped to a domain, they should be able to call access that API for that domain. Currently, both cases return an HTTP 403 Forbidden.

A unit test exposes the broken behavior for project-scoped tokens [0].

[0] https://review.openstack.org/#/c/605560/1

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/605851

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
tags: added: policy

Fix proposed to branch: master
Review: https://review.openstack.org/605871

Reviewed: https://review.openstack.org/605851
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Submitter: Zuul
Branch: master

commit 1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 19:12:20 2018 +0000

    Allow domain users to access the GET domain API

    This change updates the policy for identity:get_domains to allow
    users with role assignments on a domain to fetch the domain. As long
    as they call the API with a domain scoped token, they should be
    authorized to retrieve the domain. Subsequent patches will do the
    same for project users.

    Change-Id: I83a9b8af775580d36a1141be55e9c1cc283a75b6
    Partial-Bug: 1794864
    Partial-Bug: 968696

Reviewed: https://review.openstack.org/605871
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c8f81af62cd03601fca259647991d5dd7f8d560
Submitter: Zuul
Branch: master

commit 2c8f81af62cd03601fca259647991d5dd7f8d560
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 21:51:12 2018 +0000

    Allow project users to retrieve domains

    This commit adds thorough testing to make sure users who have a role
    on a project can use project-scoped tokens to call GET
    /v3/domain/{domain_id} for the domain own their project. These users
    are not allowed to access domains that they don't have any
    authorization via project role assignments.

    This ensures the domains API is tested with these cases and makes the
    domains API more self-serviceable for users that are not
    administrators.

    Change-Id: Ifc100a7a235140fbd07cbafe80983d3c2f17a7dc
    Closes-Bug: 1794864
    Related-Bug: 968696

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-3

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers