Sample policy should allow user to validate and revoke own token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Brant Knudson |
Bug Description
The sample policy doesn't allow a non-admin user to validate or revoke their own token.
Steps to recreate:
0) Start with devstack
1) Get a token for a non-admin user
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://
$ TOKEN=e91bab6a5
2) Try to get the token using the token using v3:
$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://
{"error": {"message": "You are not authorized to perform the requested action: identity:
3) Try to validate the token using the token using v3:
$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT
4) Try to get the token using the token using v2:
$ curl -H "X-Auth-Token: $TOKEN" http://
{"error": {"message": "You are not authorized to perform the requested action: identity:
5) Try to validate the token using the token using v2:
$ curl -I -H "X-Auth-Token: $TOKEN" http://
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT
6) Try to revoke the token using the token using v3:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://
{"error": {"message": "You are not authorized to perform the requested action: identity:
7) Try to revoke the token using the token using v2:
$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
description: | updated |
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
milestone: | none → kilo-rc1 |
Changed in keystone: | |
importance: | Undecided → Low |
milestone: | kilo-rc1 → none |
tags: | added: kilo-rc-potential |
Changed in keystone: | |
importance: | Low → Medium |
tags: | removed: kilo-rc-potential |
Changed in keystone: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-1 → 8.0.0 |
This looks similar to https:/ /bugs.launchpad .net/keystone/ +bug/1186059 , but for some reason both policy files weren't updated.