Public bug reported:
The code starting at
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/policy.py#L130
sets four keys on the policy check target equal to the user's domain id
(e.g the domain in which the user was created). Line 144 then reassigns
the 'domain_id' key with the domain to which the user has a scoped token
*if* they have such a token.
This creates a double meaning for domain_id. When keystone uses
'domain_id' in policy checks, the meaning is 'the domain to which a
token is scoped', so a check for 'is a domain admin' might be
'role:admin and domain_id:%(domain_id)s'. Under Horizon this doesn't
work, since the domain_id part essentially always passes, and thus a
project admin is indistinguishable from a domain admin.
My proposal is to set domain_id only if there is a domain scoped token.
If a policy check actually requires the user's domain, it can use
attributes on the token (token.user.domain.id).
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1616669
Title:
Policy check target is inconsistent in use of domain_id
Status in OpenStack Dashboard (Horizon):
New
Bug description:
The code starting at
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/policy.py#L130
sets four keys on the policy check target equal to the user's domain
id (e.g the domain in which the user was created). Line 144 then
reassigns the 'domain_id' key with the domain to which the user has a
scoped token *if* they have such a token.
This creates a double meaning for domain_id. When keystone uses
'domain_id' in policy checks, the meaning is 'the domain to which a
token is scoped', so a check for 'is a domain admin' might be
'role:admin and domain_id:%(domain_id)s'. Under Horizon this doesn't
work, since the domain_id part essentially always passes, and thus a
project admin is indistinguishable from a domain admin.
My proposal is to set domain_id only if there is a domain scoped
token. If a policy check actually requires the user's domain, it can
use attributes on the token (token.user.domain.id).
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1616669/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
