[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo Status: Fix Released => Fix Committed ** Changed in: keystone/kilo Milestone: 2015.1.2 => 2015.1.3 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Committed Status in OpenStack Security Advisory: Won't Fix Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2",
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, {
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in Keystone: Fix Released Status in Keystone kilo series: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, { "endpoints": [ {
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in Keystone: Fix Released Status in Keystone kilo series: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, { "endpoints": [ {
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
** Changed in: keystone Status: Fix Committed => Fix Released ** Changed in: keystone Milestone: None => liberty-3 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in Keystone: Fix Released Status in Keystone kilo series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, {
[Yahoo-eng-team] [Bug 1483382] Re: Able to request a V2 token for user and project in a non-default domain
Fixed by https://review.openstack.org/#/c/208069/ ** Changed in: keystone Importance: Undecided = High ** Changed in: keystone Status: New = Fix Committed ** Changed in: keystone Assignee: (unassigned) = Dolph Mathews (dolph) ** Also affects: keystone/kilo Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in Keystone: Fix Committed Status in Keystone kilo series: New Status in OpenStack Security Advisory: Incomplete Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +--+-+-+--+ | ID | Name| Enabled | Description | +--+-+-+--+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True| | | default | Default | True| Owns users and tenants (i.e. projects) available on Identity API v2. | +--+-+-+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +--+--+ | ID | Name | +--+--+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +--+--+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +--+-+ | ID | Name| +--+-+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +--+-+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{auth: {passwordCredentials: {userId: cf0aa0b2d5db4d67a94d1df234c338e5, password: secrete}, tenantId: 413abdbfef5544e2a5f3e8ac6124dd29}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { access: { metadata: { is_admin: 0, roles: [ 2b7f29ebd1c8453fb91e9cd7c2e1319b, 9fe2ff9ee4384b1894a90878d3e92bab ] }, serviceCatalog: [ { endpoints: [ { adminURL: http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, id: 3a92a79a21fb41379fa3e135be65eeff, internalURL: http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, publicURL: http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29;, region: RegionOne } ], endpoints_links: [], name: nova, type: compute }, { endpoints: [ { adminURL: http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, id: 64338d9eb3054598bcee30443c678e2a, internalURL: http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, publicURL: http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29;, region: RegionOne } ], endpoints_links: [],