OpenStack Identity (keystone)

Calling GET /v3/domains/{domain_id} with a project-scoped or domain-scoped token fails

Bug #1794864 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) stein-3

Bug Description

The policy that protects the identity:get_domain API (GET /v3/domains/{domain_id}) doesn't work as expected when using project-scoped or domain-scoped tokens.

If a user has a token scoped to a project within a domain, they should be able to fetch that domain. If a user has a token scoped to a domain, they should be able to call access that API for that domain. Currently, both cases return an HTTP 403 Forbidden.

A unit test exposes the broken behavior for project-scoped tokens [0].

[0] https://review.openstack.org/#/c/605560/1

Tags: policy
Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/605851

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Lance Bragstad (lbragstad)
tags: added: policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/605871

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/605851
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Submitter: Zuul
Branch: master

commit 1d32de5fe9c8465e2a70bf75dba7bdfeefa80ec9
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 19:12:20 2018 +0000

    Allow domain users to access the GET domain API

    This change updates the policy for identity:get_domains to allow
    users with role assignments on a domain to fetch the domain. As long
    as they call the API with a domain scoped token, they should be
    authorized to retrieve the domain. Subsequent patches will do the
    same for project users.

    Change-Id: I83a9b8af775580d36a1141be55e9c1cc283a75b6
    Partial-Bug: 1794864
    Partial-Bug: 968696

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/605871
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c8f81af62cd03601fca259647991d5dd7f8d560
Submitter: Zuul
Branch: master

commit 2c8f81af62cd03601fca259647991d5dd7f8d560
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 27 21:51:12 2018 +0000

    Allow project users to retrieve domains

    This commit adds thorough testing to make sure users who have a role
    on a project can use project-scoped tokens to call GET
    /v3/domain/{domain_id} for the domain own their project. These users
    are not allowed to access domains that they don't have any
    authorization via project role assignments.

    This ensures the domains API is tested with these cases and makes the
    domains API more self-serviceable for users that are not
    administrators.

    Change-Id: Ifc100a7a235140fbd07cbafe80983d3c2f17a7dc
    Closes-Bug: 1794864
    Related-Bug: 968696

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.