Public bug reported:
When using domain scoped tokens, and trying to add users to a group , keystone
throws the error {u'error': {u'code': 403,
u'message': u'You are not authorized to perform the requested action:
identity:list_users_in_group (Disable debug mode to suppress these details.)',
u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code:
import requests
import json
def get_unscoped_token(username,password,domain):
headers = {'Content-Type': 'application/json'}
payload = {'auth': {'identity': {'password': {'user': {'domain': {'name':
domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_domain(unscoped_token,domain):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity":
{"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_project(unscoped_token,project):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"project": {"name": project}}, "identity":
{"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def list_domains(token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/domains";, headers=headers)
return r.json()["domains"]
def list_groups_for_domain(domain_id, token):
headers = {'Content-Type': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; %
domain_id , headers=headers)
return r.json()["groups"]
def get_domain_named(domain_name,token):
domains = list_domains(domain_token)
domain = next(x for x in domains if x.get("name") == domain_name)
return domain
def get_group_named_in_domain(group_name, domain_id,token):
groups = list_groups_for_domain(domain_id,token)
group = next(x for x in groups if x.get("name") == group_name)
return group
def get_users_in_group_in_domain(group_id, domain_id, token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r =
requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; %
(group_id,domain_id), headers=headers)
return r.json()
unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)
#nintendo domain operations
unscoped_token = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )
get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1458994
Title:
When logged in as a pure domain admin, cannot list users in a group
Status in OpenStack Identity (Keystone):
New
Bug description:
When using domain scoped tokens, and trying to add users to a group ,
keystone throws the error {u'error': {u'code': 403,
u'message': u'You are not authorized to perform the requested action:
identity:list_users_in_group (Disable debug mode to suppress these details.)',
u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code:
import requests
import json
def get_unscoped_token(username,password,domain):
headers = {'Content-Type': 'application/json'}
payload = {'auth': {'identity': {'password': {'user': {'domain': {'name':
domain}, 'password': password, 'name': username}}, 'methods': ['password']}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_domain(unscoped_token,domain):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity":
{"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def get_token_scoped_to_project(unscoped_token,project):
headers = {'Content-Type': 'application/json'}
payload ={"auth": {"scope": {"project": {"name": project}}, "identity":
{"token": {"id":unscoped_token}, "methods": ["token"]}}}
r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers)
return r.headers['X-Subject-Token']
def list_domains(token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:35357/v3/domains";,
headers=headers)
return r.json()["domains"]
def list_groups_for_domain(domain_id, token):
headers = {'Content-Type': 'application/json',
'X-Auth-Token': token}
r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; %
domain_id , headers=headers)
return r.json()["groups"]
def get_domain_named(domain_name,token):
domains = list_domains(domain_token)
domain = next(x for x in domains if x.get("name") == domain_name)
return domain
def get_group_named_in_domain(group_name, domain_id,token):
groups = list_groups_for_domain(domain_id,token)
group = next(x for x in groups if x.get("name") == group_name)
return group
def get_users_in_group_in_domain(group_id, domain_id, token):
headers = {'Content-Type': 'application/json',
'Accept': 'application/json',
'X-Auth-Token': token}
r =
requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; %
(group_id,domain_id), headers=headers)
return r.json()
unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default")
domain_token = get_token_scoped_to_domain(unscoped_token,"default")
nintendo_domain = get_domain_named("nintendo", domain_token)
#nintendo domain operations
unscoped_token = get_unscoped_token("mario","pass","nintendo")
domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo")
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
list_groups_for_domain(nintendo_domain.get("id"), domain_token)
mygroup =
get_group_named_in_domain("mygroup",nintendo_domain.get("id"),
domain_token )
get_users_in_group_in_domain(mygroup.get("id"),
nintendo_domain.get("id"), domain_token)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
