OpenStack Identity (keystone)

list users in group unauthorised with v3 policy

Bug #1433402 reported by Yi Shi on 2015-03-18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Unassigned	OpenStack Identity (keystone) newton-2 "n2"

Bug Description

Two identity api have unauthorised issue with v3 policy. They are list_users_in_group and list_groups_for_user:

The domain admin should have permission to call these two api, but failed.

Repo Step:
* use v3 policy as config
1. Create domain
2. Create admin user 'userA' under domain (assign admin role to the user with domain scope)
3. Create a normal domain user 'userB' (with domain admin userA's token)
4. Create a normal domain group 'groupB' (with domain admin userA's token)
5. Add userB a member in groupB (with domain admin userA's token)
6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized
7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized

Both step 6 and step 7 use the domain token.

See original description

Tags:

Revision history for this message

Henry Nash (henry-nash) wrote on 2015-03-18:

When you say "with domain admin userA's token" in step 6 (and 7), is this a project token or a domain token?

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Yi Shi (yi-shi) wrote on 2015-03-18:

use a domain token for admin userA.

description:

updated

Yi Shi (yi-shi) on 2015-03-19

Changed in keystone:
status:	Incomplete → New

Revision history for this message

Yi Shi (yi-shi) wrote on 2015-03-26:

Is there any updates?

Revision history for this message

Guang Yee (guang-yee) wrote on 2015-03-27:

I agree domain admin should be allowed for those two calls.

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2015-04-14:

This is somehow related to the limitation of the policy rule that can be supported by @filterprotected decorator.

See comment#3 in https://bugs.launchpad.net/keystone/+bug/1437407

Changed in keystone:
importance:	Undecided → Medium
status:	New → Confirmed
status:	Confirmed → Triaged
status:	Triaged → Confirmed

Deepti Ramakrishna (dramakri) on 2015-05-29

Changed in keystone:
assignee:	nobody → Deepti Ramakrishna (dramakri)

Revision history for this message

Kent Wang (k.wang) wrote on 2015-10-22:

Hi Deepti, are you still working on this bug?

Revision history for this message

Deepti Ramakrishna (dramakri) wrote on 2015-10-22:

Kent, feel free to assign it to yourself.

Changed in keystone:
assignee:	Deepti Ramakrishna (dramakri) → nobody

Kent Wang (k.wang) on 2015-10-22

Changed in keystone:
assignee:	nobody → Kent Wang (k.wang)

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-21:

unassigning due to inactivity

Changed in keystone:
assignee:	Kent Wang (k.wang) → nobody

Deliang Fan (vanderliang) on 2016-03-03

Changed in keystone:
assignee:	nobody → Deliang Fan (vanderliang)

Revision history for this message

Navid Pustchi (npustchi) wrote on 2016-03-17:

Deliang, Are you gonna work on this?

Revision history for this message

Deliang Fan (vanderliang) wrote on 2016-05-09:

#10

@Navid Pustchi, I'm taking it now.

Deliang Fan (vanderliang) on 2016-05-11

Changed in keystone:
status:	Confirmed → In Progress

yangweiwei (496176919-6) on 2016-05-20

Changed in keystone:
assignee:	Deliang Fan (vanderliang) → yangweiwei (496176919-6)
assignee:	yangweiwei (496176919-6) → nobody

Rudolf Vriend (rudolf-vriend-deactivatedaccount) on 2016-05-25

Changed in keystone:
assignee:	nobody → Rudolf Vriend (rudolf-vriend)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-25: Fix proposed to keystone (master)

#11

Fix proposed to branch: master
Review: https://review.openstack.org/321128

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-02: Fix merged to keystone (master)

#12

Reviewed: https://review.openstack.org/321128
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d
Submitter: Jenkins
Branch: master

commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d
Author: Rudolf Vriend <email address hidden>
Date: Wed May 25 18:49:47 2016 +0200

Allow domain admins to list users in groups with v3 policy

    Domain admins (with a domain scoped token) could not list members of
    groups in their domain or groups of a user in their domain.
    This was due to 2 reasons: the v3 policy rule
    'identity:list_groups_for_user' was not evaluating the users domain
    and the identity controller method protections of 'list_users_in_group'
    and 'list_groups_for_user' were not providing the required targets for
    the rules.

    Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36
    Closes-Bug: #1433402
    Closes-Bug: #1458994

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-07-14: Fix included in openstack/keystone 10.0.0.0b2

#13

This issue was fixed in the openstack/keystone 10.0.0.0b2 development milestone.

Steve Martinelli (stevemar) on 2016-08-08

Changed in keystone:
milestone:	none → newton-2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1610166

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.