[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo
Status: Fix Released => Fix Committed
** Changed in: keystone/kilo
Milestone: 2015.1.2 => 2015.1.3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth":
{"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5",
"password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth":
{"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5",
"password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in Keystone:
Fix Released
Status in Keystone kilo series:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth":
{"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5",
"password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
"endpoints": [
{
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in Keystone:
Fix Released
Status in Keystone kilo series:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth":
{"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5",
"password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
"endpoints": [
{
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => liberty-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in Keystone:
Fix Released
Status in Keystone kilo series:
In Progress
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth":
{"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5",
"password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"2b7f29ebd1c8453fb91e9cd7c2e1319b",
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "3a92a79a21fb41379fa3e135be65eeff",
"internalURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"id": "64338d9eb3054598bcee30443c678e2a",
"internalURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"publicURL":
"http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
Fixed by https://review.openstack.org/#/c/208069/
** Changed in: keystone
Importance: Undecided = High
** Changed in: keystone
Status: New = Fix Committed
** Changed in: keystone
Assignee: (unassigned) = Dolph Mathews (dolph)
** Also affects: keystone/kilo
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483382
Title:
Able to request a V2 token for user and project in a non-default
domain
Status in Keystone:
Fix Committed
Status in Keystone kilo series:
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Using the latest devstack, I am able to request a V2 token for user
and project in a non-default domain. This problematic as non-default
domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+--+-+-+--+
| ID | Name| Enabled | Description
|
+--+-+-+--+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True|
|
| default | Default | True| Owns users and
tenants (i.e. projects) available on Identity API v2. |
+--+-+-+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 user list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+--+
| ID | Name |
+--+--+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+--+--+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin
--os-password secrete --os-user-domain-id default --os-project-name admin
--os-project-domain-id default --os-auth-url http://localhost:5000 project list
--domain 769ad7730e0c4498b628aa8dc00e831f
+--+-+
| ID | Name|
+--+-+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+--+-+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{auth:
{passwordCredentials: {userId: cf0aa0b2d5db4d67a94d1df234c338e5,
password: secrete}, tenantId: 413abdbfef5544e2a5f3e8ac6124dd29}}'
-XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
access: {
metadata: {
is_admin: 0,
roles: [
2b7f29ebd1c8453fb91e9cd7c2e1319b,
9fe2ff9ee4384b1894a90878d3e92bab
]
},
serviceCatalog: [
{
endpoints: [
{
adminURL:
http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
id: 3a92a79a21fb41379fa3e135be65eeff,
internalURL:
http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
publicURL:
http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
region: RegionOne
}
],
endpoints_links: [],
name: nova,
type: compute
},
{
endpoints: [
{
adminURL:
http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
id: 64338d9eb3054598bcee30443c678e2a,
internalURL:
http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
publicURL:
http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;,
region: RegionOne
}
],
endpoints_links: [],
