Public bug reported: Prerequisites: 1)Create group and user in some domain 2)Create some test role 3)Grant test role to domain group and to domain user
Steps to reproduce: 1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body { "auth": { "identity": { "methods": ["password"], "password": { "user": {" "name": "admin", "domain": { "id": "default" }, "password": "adminpwd" } } }, "scope": { "project": { "name": "project_name", "domain": { "id": "default" } } } } } 2)Using token from step 1 (from header "X-Subject-Token") check role for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to check role for domain group/user Actual result: Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response 3)Using token from step 1 (from header "X-Subject-Token") list roles for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to list roles for domain group/user Actual result: Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response: { "error": { "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden" } } But admin with domain-scoped token can check and list roles for domain group/user. And can check and list roles for project group/user. In policy.json are following: "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and (project_id:%(scope.project.id)s or domain_id:%(target.project.domain_id)s))", "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", ** Affects: keystone Importance: Undecided Status: New ** Description changed: Prerequisites: 1)Create group and user in some domain 2)Create some test role 3)Grant test role to domain group and to domain user Steps to reproduce: 1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body { "auth": { - "identity": { - "methods": ["password"], - "password": { - "user": {" - "name": "admin", - "domain": { "id": "default" }, - "password": "adminpwd" - } - } - }, - "scope": { - "project": { - "name": "project_name", - "domain": { "id": "default" } - } - } - } + "identity": { + "methods": ["password"], + "password": { + "user": {" + "name": "admin", + "domain": { "id": "default" }, + "password": "adminpwd" + } + } + }, + "scope": { + "project": { + "name": "project_name", + "domain": { "id": "default" } + } + } + } } 2)Using token from step 1 (from header "X-Subject-Token") check role for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to check role for domain group/user Actual result: Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response 3)Using token from step 1 (from header "X-Subject-Token") list roles for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to list roles for domain group/user Actual result: Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response: { - "error": { - "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)", - "code": 403, - "title": "Forbidden" - } + "error": { + "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)", + "code": 403, + "title": "Forbidden" + } } But admin with domain-scoped token can check and list roles for domain group/user. And can check and list roles for project group/user. + + + In policy.json are following: + "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required + and (project_id:%(scope.project.id)s or + domain_id:%(target.project.domain_id)s))", + "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", + "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1503755 Title: Admin with project-scoped token unable to grant, check, list, revoke roles for domain group/user Status in Keystone: New Bug description: Prerequisites: 1)Create group and user in some domain 2)Create some test role 3)Grant test role to domain group and to domain user Steps to reproduce: 1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body { "auth": { "identity": { "methods": ["password"], "password": { "user": {" "name": "admin", "domain": { "id": "default" }, "password": "adminpwd" } } }, "scope": { "project": { "name": "project_name", "domain": { "id": "default" } } } } } 2)Using token from step 1 (from header "X-Subject-Token") check role for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to check role for domain group/user Actual result: Admin with project-scoped can't check role for domain group/user - there is 403 HTTP code (Forbidden) and "No response received" in body of response 3)Using token from step 1 (from header "X-Subject-Token") list roles for domain group/user (HEAD type of request, API: http://address:port/v3/domains/{domain_id}/groups/{group_id}/roles and API: http://address:port/v3/domains/{domain_id}/users/{user_id}/roles) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to list roles for domain group/user Actual result: Admin with project-scoped can't list roles for domain group/user - there is 403 HTTP code (Forbidden) and following body of response: { "error": { "message": "You are not authorized to perform the requested action: identity:list_grants (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden" } } But admin with domain-scoped token can check and list roles for domain group/user. And can check and list roles for project group/user. In policy.json are following: "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and (project_id:%(scope.project.id)s or domain_id:%(target.project.domain_id)s))", "check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1503755/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp