OpenStack Identity (keystone)

Bug #1177526
Comment #4

Comment 4 for bug 1177526

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2013-05-13:

Alejandro, you are indeed correct people in operator_roles should not be able to issue a DELETE on the account, but i can't seem to reproduce this as I am getting a 405 when trying to do that, can you please show us how do you do that ? :

# Making sure the admin has the admin role
stack@devstack:~/devstack$ keystone user-role-list --user admin
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 06e77ba20bc0406e91da2b01a87e84c3 | admin | 058d18862233418bb55b0fee730e22e9 | 19cae1368377431bb6a3bb610b9ec37e |
+----------------------------------+-------+----------------------------------+----------------------------------+
stack@devstack:~/devstack$ keystone role-get 06e77ba20bc0406e91da2b01a87e84c3
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 06e77ba20bc0406e91da2b01a87e84c3 |
| name | admin |
+----------+----------------------------------+

# operator_roles has admin as role to authorize
stack@devstack:~/devstack$ grep -w operator_roles /etc/swift/proxy-server.conf
operator_roles = Member, admin

# Using http://p.chmouel.com/ks script, getting a token for admin user
stack@devstack:~/devstack$ ks -s localhost admin:admin ADMIN
TOKEN='4a22807037e1465a8c3c0918fca62a47'
STORAGE_URL='http://46.231.128.140:8080/v1/AUTH_19cae1368377431bb6a3bb610b9ec37e'
KEYSTONE_URL='http://localhost:5000/v2.0/tokens'
# curl -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL}

# Trying to do a delete of the account
stack@devstack:~/devstack$ curl -v -X DELETE -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL}
* About to connect() to 46.231.128.140 port 8080 (#0)
* Trying 46.231.128.140... connected
> DELETE /v1/AUTH_19cae1368377431bb6a3bb610b9ec37e HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 46.231.128.140:8080
> Accept: */*
> X-Auth-Token: 4a22807037e1465a8c3c0918fca62a47
>
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 91
< Content-Type: text/html; charset=UTF-8
< Allow: HEAD, GET, POST, OPTIONS
< X-Trans-Id: tx408c29ef0e0940dea6f04-005190e04a
< Date: Mon, 13 May 2013 12:44:58 GMT
<
* Connection #0 to host 46.231.128.140 left intact
* Closing connection #0
<html><h1>Method Not Allowed</h1><p>The method is not allowed for this resource.</p></html>stack@devstack:~/devstack$

# Making sure the admin has the admin role
stack@devstack:~/devstack$ keystone user-role-list --user admin
+----------------------------------+-------+----------------------------------+----------------------------------+
|                id                |  name |             user_id              |            tenant_id             |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 06e77ba20bc0406e91da2b01a87e84c3 | admin | 058d18862233418bb55b0fee730e22e9 | 19cae1368377431bb6a3bb610b9ec37e |
+----------------------------------+-------+----------------------------------+----------------------------------+
stack@devstack:~/devstack$ keystone role-get 06e77ba20bc0406e91da2b01a87e84c3
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 06e77ba20bc0406e91da2b01a87e84c3 |
|   name   |              admin               |
+----------+----------------------------------+

# operator_roles has admin as role to authorize 
stack@devstack:~/devstack$ grep -w operator_roles /etc/swift/proxy-server.conf
operator_roles = Member, admin

# Using http://p.chmouel.com/ks script, getting a token for admin user
stack@devstack:~/devstack$ ks  -s localhost admin:admin ADMIN
TOKEN='4a22807037e1465a8c3c0918fca62a47'
STORAGE_URL='http://46.231.128.140:8080/v1/AUTH_19cae1368377431bb6a3bb610b9ec37e'
KEYSTONE_URL='http://localhost:5000/v2.0/tokens'
# curl -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL}

# Trying to do a delete of the account
stack@devstack:~/devstack$ curl -v -X DELETE -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL}
* About to connect() to 46.231.128.140 port 8080 (#0)
*   Trying 46.231.128.140... connected
> DELETE /v1/AUTH_19cae1368377431bb6a3bb610b9ec37e HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 46.231.128.140:8080
> Accept: */*
> X-Auth-Token: 4a22807037e1465a8c3c0918fca62a47
>
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 91
< Content-Type: text/html; charset=UTF-8
< Allow: HEAD, GET, POST, OPTIONS
< X-Trans-Id: tx408c29ef0e0940dea6f04-005190e04a
< Date: Mon, 13 May 2013 12:44:58 GMT
<
* Connection #0 to host 46.231.128.140 left intact
* Closing connection #0
<html><h1>Method Not Allowed</h1><p>The method is not allowed for this resource.</p></html>stack@devstack:~/devstack$