** Changed in: keystone/kilo Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1483382 Title: Able to request a V2 token for user and project in a non-default domain Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs. Steps to reproduce: 1) install devstack 2) run these commands gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 769ad7730e0c4498b628aa8dc00e831f | foo | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+------+ | ID | Name | +----------------------------------+------+ | cf0aa0b2d5db4d67a94d1df234c338e5 | bar | +----------------------------------+------+ gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f +----------------------------------+-------------+ | ID | Name | +----------------------------------+-------------+ | 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project | +----------------------------------+-------------+ gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472 { "access": { "metadata": { "is_admin": 0, "roles": [ "2b7f29ebd1c8453fb91e9cd7c2e1319b", "9fe2ff9ee4384b1894a90878d3e92bab" ] }, "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "id": "3a92a79a21fb41379fa3e135be65eeff", "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "id": "64338d9eb3054598bcee30443c678e2a", "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "cinderv2", "type": "volumev2" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:9292", "id": "9216dc36806f492ead2fc58f88dfc50c", "internalURL": "http://10.0.2.15:9292", "publicURL": "http://10.0.2.15:9292", "region": "RegionOne" } ], "endpoints_links": [], "name": "glance", "type": "image" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "id": "8163d3afe8144cc0ad701d8065a80f12", "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "cinder", "type": "volume" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8773/", "id": "1ae28abbafa040ebaba1a5930cd23b96", "internalURL": "http://10.0.2.15:8773/", "publicURL": "http://10.0.2.15:8773/", "region": "RegionOne" } ], "endpoints_links": [], "name": "ec2", "type": "ec2" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "id": "359f261d83a04ab7a66c804760aed0bf", "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29", "region": "RegionOne" } ], "endpoints_links": [], "name": "novav21", "type": "computev21" }, { "endpoints": [ { "adminURL": "http://10.0.2.15:35357/v2.0", "id": "1ced0d5e8f7943f7b821340e2a4ac273", "internalURL": "http://10.0.2.15:5000/v2.0", "publicURL": "http://10.0.2.15:5000/v2.0", "region": "RegionOne" } ], "endpoints_links": [], "name": "keystone", "type": "identity" } ], "token": { "audit_ids": [ "fSQJJ2EnSC2pgeAbiEP3Rw" ], "expires": "2015-08-10T20:03:46Z", "id": "d68f365a9bb143008bd70be89ee0791a", "issued_at": "2015-08-10T19:03:46.542447", "tenant": { "description": "", "enabled": true, "id": "413abdbfef5544e2a5f3e8ac6124dd29", "name": "foo-project" } }, "user": { "id": "cf0aa0b2d5db4d67a94d1df234c338e5", "name": "bar", "roles": [ { "name": "admin" }, { "name": "_member_" } ], "roles_links": [], "username": "bar" } } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1483382/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp