OpenStack Identity (keystone)

Sample policy should allow user to validate and revoke own token

Bug #1421825 reported by Brant Knudson on 2015-02-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

The sample policy doesn't allow a non-admin user to validate or revoke their own token.

Steps to recreate:

0) Start with devstack
1) Get a token for a non-admin user

$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "demo",
          "domain": { "id": "default" },
          "password": "demopwd"
        }
      }
    },
    "scope": {
      "project": {
        "name": "demo",
        "domain": { "id": "default" }
      }
    }
  }
}' http://localhost:35357/v3/auth/tokens ; echo

$ TOKEN=e91bab6a52e44e39ba7ca63b04bb717b

2) Try to get the token using the token using v3:

$ curl -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

3) Try to validate the token using the token using v3:

$ curl -I -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 185
Date: Fri, 13 Feb 2015 20:00:21 GMT

4) Try to get the token using the token using v2:

$ curl -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: identity:validate_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

5) Try to validate the token using the token using v2:

$ curl -I -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
HTTP/1.1 403 Forbidden
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 193
Date: Fri, 13 Feb 2015 20:11:49 GMT

6) Try to revoke the token using the token using v3:

$ curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "X-Subject-Token: $TOKEN" http://localhost:35357/v3/auth/tokens
{"error": {"message": "You are not authorized to perform the requested action: identity:revoke_token (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}

7) Try to revoke the token using the token using v2:

$ curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:35357/v2.0/tokens/$TOKEN
{"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

See original description

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-02-13:

This looks similar to https://bugs.launchpad.net/keystone/+bug/1186059 , but for some reason both policy files weren't updated.

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

Brant Knudson (blk-u) on 2015-02-13

description:

updated

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-02-13:

I'm not going to try to fix this for v2 since v2 is old and it's always worked that way.

OpenStack Infra (hudson-openstack) on 2015-02-13

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-02: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/160204

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-16:

Fix proposed to branch: master
Review: https://review.openstack.org/164848

Lance Bragstad (lbragstad) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-rc1

Revision history for this message

Guang Yee (guang-yee) wrote on 2015-03-24:

I don't know why users aren't allowed to validate or revoke his own token. I am guessing it was done for security purposes? Since UUID tokens are just opaque strings, whoever steals your token shouldn't be able to find out what the token can do by performing token validation. That at least prevents information disclosure.

However, the introduction of PKI tokens changed that line of thinking, whether that was intentional or not. Anyone who have access to the simple cert endpoints can retrieve the signing cert to validate the tokens.

I guess what I am trying to say is that we need to figure out a way to have the policies consistently applied, regardless of token provider.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/160204
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d57e6e3d6547a731522794cc9eecc5cb2c9a6df4
Submitter: Jenkins
Branch: master

commit d57e6e3d6547a731522794cc9eecc5cb2c9a6df4
Author: Brant Knudson <email address hidden>
Date: Sun Mar 1 13:27:43 2015 -0600

Add unit tests for sample policy token operations

    There were no unit tests that validated that a user could validate,
    check, or delete their own tokens using the 2 sample policy files.
    The tests show that in some cases the user or admin can't perform
    an operation as expected.

Change-Id: I06e55cccbeea860d5eb3ff17a3ba87e0f2a95476
Partial-Bug: 1421825

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24:

Reviewed: https://review.openstack.org/155916
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ec31fb69ed4ff03120fdd65968b6566c6ec1035d
Submitter: Jenkins
Branch: master

commit ec31fb69ed4ff03120fdd65968b6566c6ec1035d
Author: Brant Knudson <email address hidden>
Date: Mon Mar 16 14:47:26 2015 -0500

Fix sample policy to allow user to revoke own token

The sample policy file wouldn't allow a user to revoke their own
token.

Partial-Bug: 1421825
Change-Id: Iaf9bcd4d083c91991d6bbd71c0e677123c5a86a2

Morgan Fainberg (mdrnstm) on 2015-03-25

Changed in keystone:
importance:	Undecided → Low
milestone:	kilo-rc1 → none
tags:	added: kilo-rc-potential
Changed in keystone:
importance:	Low → Medium

Morgan Fainberg (mdrnstm) on 2015-04-07

tags:

removed: kilo-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-09:

Reviewed: https://review.openstack.org/164848
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=680848613557a83d24bb99865f67c91a9433510d
Submitter: Jenkins
Branch: master

commit 680848613557a83d24bb99865f67c91a9433510d
Author: Brant Knudson <email address hidden>
Date: Sun Mar 1 13:27:43 2015 -0600

Fix sample policy to allow user to check own token

The sample policy file wouldn't allow a user to check their own
token.

Change-Id: I8853d2b8c5aabea03564a33df7daddb969fcd4b3
Closes-Bug: 1421825

Changed in keystone:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-1 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.