Barbican

HTTP 403 Returned when trying to get preferred CA

Bug #1496821 reported by Dave McCowan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
High
Dave McCowan
Barbican 1.0.0 "liberty"

Bug Description

According to policy, all users should be able to get their preferred CA.

$ curl -H 'content-type:application/json' -H "X-Auth-Token:$TOKEN" http://localhost:9311/v1/cas ; echo
{"cas": ["http://localhost:9311/v1/cas/23f269d1-2def-4ec7-8036-3b29c138ef45", "http://localhost:9311/v1/cas/2d7041bc-bbd1-468e-9bc5-666d57347cb3"], "total": 2}

$ curl -H 'content-type:application/json' -H "X-Auth-Token:$TOKEN" http://localhost:9311/v1/cas/preferred ; echo
{"code": 403, "description": "Retrieve project preferred CA attempt not allowed - please review your user/project privileges", "title": "Forbidden"}

Dave McCowan (dave-mccowan)
Changed in barbican:
status: New → In Progress
assignee: nobody → Dave McCowan (dave-mccowan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/224963

Douglas Mendizábal (dougmendizabal)
Changed in barbican:
importance: Undecided → High
milestone: none → liberty-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/224963
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=5a245f6def02e68ab00b1627815400950762a9ae
Submitter: Jenkins
Branch: master

commit 5a245f6def02e68ab00b1627815400950762a9ae
Author: Dave McCowan <email address hidden>
Date: Thu Sep 17 22:05:42 2015 -0400

    Clean up CAs Policy Rules

    A few policy rule names did not match between the decorators and the
    policy.json file. This commit fixes those.

    Also, I changed the permissions for "get_global_preferred" to be
    for service-admin only. Project admins and users should only know
    what their own preferred CA is. Global settings are only
    relavent to the overall service admin.

    Also, if the first call a project admin makes is GET cas/preferred
    then that call needs to create a project entry. This commit adds the
    call to do that.

    Change-Id: I2e1ddbf8f2d93af5bd9b182716ad9540d7165420
    Closes-bug: #1496821

Changed in barbican:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in barbican:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in barbican:
milestone: liberty-rc1 → 1.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.