russel - description is good, run with it.
** Description changed:
Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't
- validate token
+ validate the authentication token before returning a response.
- we can get the same result without a token in HTTP head.
+ i.e. we can get the same result without a token in HTTP head.
Eg:
without a token
jason@ubuntu:~/project/keystone$ curl
http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles
| python -m json.tool
- % Total % Received % Xferd Average Speed Time Time Time
Current
- Dload Upload Total Spent Left Speed
+ % Total % Received % Xferd Average Speed Time Time Time
Current
+ Dload Upload Total Spent Left Speed
100 72 100 72 0 0 308 0 --:--:-- --:--:-- --:--:-- 346
{
- "roles": [
- {
- "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
- "name": "admin"
- }
- ]
+ "roles": [
+ {
+ "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
+ "name": "admin"
+ }
+ ]
}
with token
jason@ubuntu:~/project/keystone$ curl -H
"X-Auth-Token:ecab59a3f4e2468b9934c24f8660a809"
http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles
| python -m json.tool
- % Total % Received % Xferd Average Speed Time Time Time
Current
- Dload Upload Total Spent Left Speed
+ % Total % Received % Xferd Average Speed Time Time Time
Current
+ Dload Upload Total Spent Left Speed
100 72 100 72 0 0 242 0 --:--:-- --:--:-- --:--:-- 270
{
- "roles": [
- {
- "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
- "name": "admin"
- }
- ]
+ "roles": [
+ {
+ "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
+ "name": "admin"
+ }
+ ]
}
-
What we expect:
without a token
jason@ubuntu:~/project/keystone$ curl
http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles
| python -m json.tool % Total % Received % Xferd Average Speed Time
Time Time Current
- Dload Upload Total Spent Left Speed
+ Dload Upload Total Spent Left Speed
100 116 100 116 0 0 848 0 --:--:-- --:--:-- --:--:-- 1026
{
- "error": {
- "code": 401,
- "message": "The request you have made requires authentication.",
- "title": "Not Authorized"
- }
+ "error": {
+ "code": 401,
+ "message": "The request you have made requires authentication.",
+ "title": "Not Authorized"
+ }
}
-
Attached is a diff of the changes.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1006815
Title:
Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't
validate token
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1006815/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
