Public bug reported: Based on Nathan's blog on Restricting the abilities of Keystone tokens (https://blog-nkinder.rhcloud.com/?p=101) experimented with domain scoped tokens.
Pre-req: User has admin privileges on two domains Default and TestDomain. Step 1: Generate unscoped token: cat auth-unsloped.json { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "domain": { "name": "Default" }, "name": "admin", "password": "secretadmin" } } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-unscoped.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:48:46 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: 7b8dedc47a344378bba0c60d0d7a88fe Vary: X-Auth-Token x-openstack-request-id: req-e8e00db1-1875-47cf-96f8-b4504e095f78 Content-Length: 297 Content-Type: application/json {"token": {"methods": ["password"], "expires_at": "2015-10-05T21:48:47.009323Z", "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["7HNaW54JQdyiRq7asZGJ8Q"], "issued_at": "2015-10-05T20:48:47.009338Z"}} Step 2: Generate domain scoped token, scoped to domain Default: cat auth-token-default.json { "auth": { "identity": { "methods": [ "token" ], "token": { "id": "7b8dedc47a344378bba0c60d0d7a88fe" } }, "scope": { "domain": { "name": "default" } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-token-default.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:31:34 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: cb4787308bbb4666aeaf2fb477a3c86f Vary: X-Auth-Token x-openstack-request-id: req-5a2ce99c-7ab8-4473-b641-b87d62cacedb Content-Length: 1425 Content-Type: application/json {"token": {"domain": {"id": "default", "name": "Default"}, "methods": ["token", "password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-manager", "id": "6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:35357/v2.0", "region": "RegionOne", "interface": "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type": "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["VvQjBGgUQceA4DiSqk0acw", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at": "2015-10-05T20:31:34.810853Z"}} Step 3: Generate domain scoped token, scoped to TestDomain: cat auth-token-testdomain.json { "auth": { "identity": { "methods": [ "token" ], "token": { "id": "cb4787308bbb4666aeaf2fb477a3c86f" } }, "scope": { "domain": { "name": "TestDomain" } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-token-testdomain.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:35:18 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: 9b84d6a8894340e393a952ae2b366051 Vary: X-Auth-Token x-openstack-request-id: req-745a90fe-92d0-425f-ac6b-8f8719e66dba Content-Length: 1453 Content-Type: application/json {"token": {"domain": {"id": "b841c341125f4f46844aee7a8a8cfd80", "name": "TestDomain"}, "methods": ["token", "password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key-manager", "id": "6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:35357/v2.0", "region": "RegionOne", "interface": "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type": "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["Ox3i-EzETI-kAj92reqfHg", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at": "2015-10-05T20:35:18.093521Z"}} This demonstrates that user can generate token scoped to a domain and using that token, he can generate a token scoped to different domain without explicitly providing his credentials. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1503041 Title: Token scoped to a domain can generate token scoped to different domain Status in Keystone: New Bug description: Based on Nathan's blog on Restricting the abilities of Keystone tokens (https://blog-nkinder.rhcloud.com/?p=101) experimented with domain scoped tokens. Pre-req: User has admin privileges on two domains Default and TestDomain. Step 1: Generate unscoped token: cat auth-unsloped.json { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "domain": { "name": "Default" }, "name": "admin", "password": "secretadmin" } } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-unscoped.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:48:46 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: 7b8dedc47a344378bba0c60d0d7a88fe Vary: X-Auth-Token x-openstack-request-id: req-e8e00db1-1875-47cf-96f8-b4504e095f78 Content-Length: 297 Content-Type: application/json {"token": {"methods": ["password"], "expires_at": "2015-10-05T21:48:47.009323Z", "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["7HNaW54JQdyiRq7asZGJ8Q"], "issued_at": "2015-10-05T20:48:47.009338Z"}} Step 2: Generate domain scoped token, scoped to domain Default: cat auth-token-default.json { "auth": { "identity": { "methods": [ "token" ], "token": { "id": "7b8dedc47a344378bba0c60d0d7a88fe" } }, "scope": { "domain": { "name": "default" } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-token-default.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:31:34 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: cb4787308bbb4666aeaf2fb477a3c86f Vary: X-Auth-Token x-openstack-request-id: req-5a2ce99c-7ab8-4473-b641-b87d62cacedb Content-Length: 1425 Content-Type: application/json {"token": {"domain": {"id": "default", "name": "Default"}, "methods": ["token", "password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key- manager", "id": "6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:35357/v2.0", "region": "RegionOne", "interface": "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type": "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["VvQjBGgUQceA4DiSqk0acw", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at": "2015-10-05T20:31:34.810853Z"}} Step 3: Generate domain scoped token, scoped to TestDomain: cat auth-token-testdomain.json { "auth": { "identity": { "methods": [ "token" ], "token": { "id": "cb4787308bbb4666aeaf2fb477a3c86f" } }, "scope": { "domain": { "name": "TestDomain" } } } } curl -i POST http://localhost:35357/v3/auth/tokens -d...@auth-token-testdomain.json -H "Content-Type:application/json" HTTP/1.1 201 Created Date: Mon, 05 Oct 2015 20:35:18 GMT Server: Apache/2.4.7 (Ubuntu) X-Subject-Token: 9b84d6a8894340e393a952ae2b366051 Vary: X-Auth-Token x-openstack-request-id: req-745a90fe-92d0-425f-ac6b-8f8719e66dba Content-Length: 1453 Content-Type: application/json {"token": {"domain": {"id": "b841c341125f4f46844aee7a8a8cfd80", "name": "TestDomain"}, "methods": ["token", "password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-05T21:31:06.973530Z", "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "public", "id": "183c129076834ca8b4e1798810a32d6d"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:9311", "region": "RegionOne", "interface": "internal", "id": "e1ea8f4d45904257b89bfd9d95518196"}], "type": "key- manager", "id": "6fc885769eba436294f9d886cc405c74", "name": "barbican"}, {"endpoints": [{"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "internal", "id": "961f5de3db964ca6894073e1bf256453"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "a0b19c290c124d4ab1efef1a89769149"}, {"region_id": "RegionOne", "url": "http://10.0.2.15:35357/v2.0", "region": "RegionOne", "interface": "admin", "id": "aab541336f1a410492a98b536037ca44"}], "type": "identity", "id": "957546d7177e43e7a922e132ca76cb68", "name": "keystone"}], "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["Ox3i-EzETI-kAj92reqfHg", "-Sv17e8CRJqhSANxJy9_-w"], "issued_at": "2015-10-05T20:35:18.093521Z"}} This demonstrates that user can generate token scoped to a domain and using that token, he can generate a token scoped to different domain without explicitly providing his credentials. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1503041/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp