Public bug reported: When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403, u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)', u'title': u'Forbidden'}}.
To reproduce this bug you may use the following code: import requests import json def get_unscoped_token(username,password,domain): headers = {'Content-Type': 'application/json'} payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_domain(unscoped_token,domain): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_project(unscoped_token,project): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def list_domains(token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/domains", headers=headers) return r.json()["domains"] def list_groups_for_domain(domain_id, token): headers = {'Content-Type': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s" % domain_id , headers=headers) return r.json()["groups"] def get_domain_named(domain_name,token): domains = list_domains(domain_token) domain = next(x for x in domains if x.get("name") == domain_name) return domain def get_group_named_in_domain(group_name, domain_id,token): groups = list_groups_for_domain(domain_id,token) group = next(x for x in groups if x.get("name") == group_name) return group def get_users_in_group_in_domain(group_id, domain_id, token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s" % (group_id,domain_id), headers=headers) return r.json() unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default") domain_token = get_token_scoped_to_domain(unscoped_token,"default") nintendo_domain = get_domain_named("nintendo", domain_token) #nintendo domain operations unscoped_token = get_unscoped_token("mario","pass","nintendo") domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo") list_groups_for_domain(nintendo_domain.get("id"), domain_token) list_groups_for_domain(nintendo_domain.get("id"), domain_token) mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"), domain_token ) get_users_in_group_in_domain(mygroup.get("id"), nintendo_domain.get("id"), domain_token) ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1458994 Title: When logged in as a pure domain admin, cannot list users in a group Status in OpenStack Identity (Keystone): New Bug description: When using domain scoped tokens, and trying to add users to a group , keystone throws the error {u'error': {u'code': 403, u'message': u'You are not authorized to perform the requested action: identity:list_users_in_group (Disable debug mode to suppress these details.)', u'title': u'Forbidden'}}. To reproduce this bug you may use the following code: import requests import json def get_unscoped_token(username,password,domain): headers = {'Content-Type': 'application/json'} payload = {'auth': {'identity': {'password': {'user': {'domain': {'name': domain}, 'password': password, 'name': username}}, 'methods': ['password']}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_domain(unscoped_token,domain): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"domain": {"name": domain}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def get_token_scoped_to_project(unscoped_token,project): headers = {'Content-Type': 'application/json'} payload ={"auth": {"scope": {"project": {"name": project}}, "identity": {"token": {"id":unscoped_token}, "methods": ["token"]}}} r = requests.post(OS_AUTH_URL, data=json.dumps(payload), headers=headers) return r.headers['X-Subject-Token'] def list_domains(token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/domains", headers=headers) return r.json()["domains"] def list_groups_for_domain(domain_id, token): headers = {'Content-Type': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:5000/v3/groups?domain_id=%s" % domain_id , headers=headers) return r.json()["groups"] def get_domain_named(domain_name,token): domains = list_domains(domain_token) domain = next(x for x in domains if x.get("name") == domain_name) return domain def get_group_named_in_domain(group_name, domain_id,token): groups = list_groups_for_domain(domain_id,token) group = next(x for x in groups if x.get("name") == group_name) return group def get_users_in_group_in_domain(group_id, domain_id, token): headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': token} r = requests.get("http://192.168.27.100:35357/v3/groups/%s/users?domain_id=%s" % (group_id,domain_id), headers=headers) return r.json() unscoped_token = get_unscoped_token(OS_USERNAME,OS_PASSWORD,"default") domain_token = get_token_scoped_to_domain(unscoped_token,"default") nintendo_domain = get_domain_named("nintendo", domain_token) #nintendo domain operations unscoped_token = get_unscoped_token("mario","pass","nintendo") domain_token = get_token_scoped_to_domain(unscoped_token,"nintendo") list_groups_for_domain(nintendo_domain.get("id"), domain_token) list_groups_for_domain(nintendo_domain.get("id"), domain_token) mygroup = get_group_named_in_domain("mygroup",nintendo_domain.get("id"), domain_token ) get_users_in_group_in_domain(mygroup.get("id"), nintendo_domain.get("id"), domain_token) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1458994/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp