[Openstack-security] [Bug 1846817] Re: v3/role_assignments filtering exposes unnecessary role assignments
Colleen Murphy
colleen at gazlene.net
Fri Oct 4 21:28:40 UTC 2019
Can you say whether this is new in Train, or present since Stein? If it
is new in Train, we should try to correct it ASAP before the final
release.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1846817
Title:
v3/role_assignments filtering exposes unnecessary role assignments
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
I have a deployment that exercises multiple system role assignments:
- An "operator" user has the "admin" role on the system
- A "system-support" user has the "member" role on the system
- A "system-admins" group has the "reader" role on the system
If I ask keystone to filter a list of role assignments by --system all
and --role member, I should only see a list with the "system-support"
user and the "operator" user. Instead, I get a list with three entries
that includes the group, which doesn't have the member role at all, it
only has reader.
Depending on how you classify this, it could leak information to
clients. Groups don't appear to be filtered from the list since
"reader" doesn't imply "member" (it's the other way around).
$ openstack role assignment list --names --system all --debug
START with options: role assignment list --names --system all --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["JVQCRxBoTUyzm2CqiCoj6w"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, project=None, project_domain=None, quote_mode='nonnumeric', role=None, role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["U9Z3md9YTP-9-bTLuPDIzg"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}042443671367aa0183e15fd2692bf4c70d15050bdac46db883fd836440ae1065"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&include_names=True HTTP/1.1" 200 2401
RESP: [200] Connection: close Content-Length: 2401 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "c814cd4739bd4960ad08ade3814f1560", "name": "system-admins"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/c814cd4739bd4960ad08ade3814f1560/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e", "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0ec0eb48c66d4fb79c432a2ff8c5d257", "name": "admin"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0ec0eb48c66d4fb79c432a2ff8c5d257/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "e8fec49e15984aedb5e1235f279434fe", "name": "auditor"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/e8fec49e15984aedb5e1235f279434fe/roles/7ee093f4ccf345bba963ce765f9b797f"}}], "links": {"self": "http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True", "previous": null, "next": null}}
GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True used request id req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| admin | | system-admins at Default | | | all | False |
| reader | | system-auditors at Default | | | all | False |
| admin | admin at Default | | | | all | False |
| admin | operator at Default | | | | all | False |
| member | system-support at Default | | | | all | False |
| reader | auditor at Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0
The Trace above lists all system role assignments to confirm my setup
locally. The following trace shows that the group is returned with the
wrong role assignment based on the filter.
$ openstack role assignment list --names --system all --role member --debug [1/880]
START with options: role assignment list --names --system all --role member --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='',
auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domai
n_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=F
alse, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='',
passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_proje
ct_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', usern
ame='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'ne
utron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_
version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 've
rify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope':
'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None,
'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interfa
ce': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'q
cow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_ti
meout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tas
ks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_h
elp': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:49 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-d5
784d4c-7b47-4647-b912-65e6a78b835e
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.
0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-d5784d4c-7b47-4647-b912-65e6a78b835e
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:49.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["SGRaWT8BTVuzELGwxqjBdg"], "issued_at": "2019-10-04T18:56:49.000000
Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, pro
ject=None, project_domain=None, quote_mode='nonnumeric', role=u'member', role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:50.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["2nu0u-1wQRmWA9_uS2hZ-g"], "issued_at": "2019-10-04T18:56:50.000000
Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles/member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles/member HTTP/1.1" 404 84
RESP: [404] Connection: close Content-Length: 84 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-88bce424-60f2-4d2a-a6f5-2bd256602789
RESP BODY: {"error":{"code":404,"message":"Could not find role: member.","title":"Not Found"}}
GET call to identity for http://10.0.3.122/identity/v3/roles/member used request id req-88bce424-60f2-4d2a-a6f5-2bd256602789
Request returned failure status: 404
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles?name=member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles?name=member HTTP/1.1" 200 322
RESP: [200] Connection: close Content-Length: 322 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ce429b68-b53d-4c49-9080-ed3da3bce55b
RESP BODY: {"links": {"self": "http://10.0.3.122/identity/v3/roles?name=member", "previous": null, "next": null}, "roles": [{"description": null, "links": {"self": "http://10.0.3.122/identity/v3/roles/a8cd98f2e98d4135b2fa83950d6171ec"}, "
options": {}, "id": "a8cd98f2e98d4135b2fa83950d6171ec", "domain_id": null, "name": "member"}]}
GET call to identity for http://10.0.3.122/identity/v3/roles?name=member used request id req-ce429b68-b53d-4c49-9080-ed3da3bce55b
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA
256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True HTTP/1.1" 200 1328
RESP: [200] Connection: close Content-Length: 1328 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-08f9bdb9-149d-4905-96cc-99b87c8b6339
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e"
, "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba74
7046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914
e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
"66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}], "links": {"self": "http://10.
0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True", "previous": null, "next": null}}
GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True used request id req-08f9bdb9-149d-4905-96cc-99b87c8b6339
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| reader | | system-auditors at Default | | | all | False |
| admin | operator at Default | | | | all | False |
| member | system-support at Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1846817/+subscriptions
More information about the Openstack-security
mailing list