Designate GET and POST /v1/domains has auth issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Designate |
Fix Released
|
Critical
|
Endre Karlson | ||
Kilo |
Fix Committed
|
Critical
|
Kiall Mac Innes | ||
designate (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Users with an unscoped project token are authorized to list and create designate domains. Based on the policy file, this shoudl not be allowed.
If a user gets a token that is not scoped to a project, that user is able to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.
For example:
POST https:/
Connection: close
Content-Type: application/json
Content-Length: 150
{
"auth":{
"
}
}
}
Response:
{"access": {
"token": {
"issued_at": "2015-05-
"expires": "2015-05-
"id": "a2ce8e93ac6b43
"audit_ids": ["zus4wLUbSK6mj
},
...
Create domain
POST https:/
Connection: close
X-Auth-Token: a2ce8e93ac6b43d
Content-Type: application/json
Content-Length: 85
{
"name": "test-tc21abc.
"ttl": 3600,
"email": "<email address hidden>"
}
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 248
Location: http://
X-Openstack-
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"created_at": "2015-05-
"description": null,
"email": "<email address hidden>",
"id": "6e1f4190-
"name": "test-tc21abc.
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
Get domains
GET https:/
Connection: close
X-Auth-Token: a2ce8e93ac6b43d
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close
{
"domains": [
{
"created_at": "2015-05-
"
"email": "<email address hidden>",
"id": "6e1f4190-
"name": "test-tc21abc.
"serial": 1432926762,
"ttl": 3600,
"updated_at": null
}
]
}
Changed in designate: | |
milestone: | none → liberty-1 |
importance: | Undecided → Critical |
description: | updated |
information type: | Public → Public Security |
Changed in designate (Ubuntu): | |
status: | New → Confirmed |
Changed in designate: | |
status: | Fix Committed → Fix Released |
Changed in designate (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in designate: | |
milestone: | liberty-1 → 1.0.0 |
Fix proposed to branch: master /review. openstack. org/187570
Review: https:/