Reviewed: https://review.openstack.org/321128 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d Submitter: Jenkins Branch: master
commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d Author: Rudolf Vriend <[email protected]> Date: Wed May 25 18:49:47 2016 +0200 Allow domain admins to list users in groups with v3 policy Domain admins (with a domain scoped token) could not list members of groups in their domain or groups of a user in their domain. This was due to 2 reasons: the v3 policy rule 'identity:list_groups_for_user' was not evaluating the users domain and the identity controller method protections of 'list_users_in_group' and 'list_groups_for_user' were not providing the required targets for the rules. Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36 Closes-Bug: #1433402 Closes-Bug: #1458994 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1458994 Title: When logged in as a pure domain admin, cannot list users in a group Status in OpenStack Identity (keystone): Fix Released Bug description: When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403, u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)', u'title': u'Forbidden'}}. To reproduce this bug you may use the following code: import requests import json def get_unscoped_token(username,password,domain): headers = {'Content-Type': 'application/json'} payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_domain(unscoped_token,domain): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_project(unscoped_token,project): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def list_domains(token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/domains";, headers=headers) return r.json()["domains"] def list_groups_for_domain(domain_id, token): headers = {'Content-Type': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s"; % domain_id , headers=headers) return r.json()["groups"] def get_domain_named(domain_name,token): domains = list_domains(domain_token) domain = next(x for x in domains if x.get("name") == domain_name) return domain def get_group_named_in_domain(group_name, domain_id,token): groups = list_groups_for_domain(domain_id,token) group = next(x for x in groups if x.get("name") == group_name) return group def get_users_in_group_in_domain(group_id, domain_id, token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s"; % (group_id,domain_id), headers=headers) return r.json() unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default") domain_token = get_token_scoped_to_domain(unscoped_token,"default") nintendo_domain = get_domain_named("nintendo", domain_token) #nintendo domain operations unscoped_token = get_unscoped_token("mario","pass","nintendo") domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo") list_groups_for_domain(nintendo_domain.get("id"), domain_token) list_groups_for_domain(nintendo_domain.get("id"), domain_token) mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"), domain_token ) get_users_in_group_in_domain(mygroup.get("id"), nintendo_domain.get("id"), domain_token) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
