yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #09095
[Bug 1273867] [NEW] Keystone API v3 lists disabled endpoints and services in catalog
Public bug reported:
When endpoint or service has "enabled" attribute set to "False", it is
still listed in catalog (`keystone catalog` command and/or in catalog
part of token.
Create testing service (simplifies output later):
> localhost:5000
> POST /v3/services
> '{"service":{"name":"My svc","type":"testing"}}'
response:
> {'service': {'id': '<SERVICE-ID>',
> 'links': {'self': 'http://localhost:5000/v3/services/<SERVICE-ID>'},
> 'name': 'My svc',
> 'type': 'testing'}}
Create disabled endpoint:
> localhost:5000
> POST /v3/endpoints
> '{"endpoint":{
> "enabled":false,
> "name":"My disabled",
> "interface":"public",
> "url":"disabled_URL",
> "service_id":"<SERVICE-ID>"}}'
response:
> {'endpoint': {'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'links': {'self': 'http://localhost:5000/v3/endpoints/<ENDPOINT-ID>'},
> 'name': 'My disabled',
> 'region': None,
> 'service_id': '<SERVICE-ID>',
> 'url': 'disabled_URL'}}
Now request token and see that it's catalog/endpoints part contains:
> localhost:5000
> POST /v3/auth/tokens
> '{"auth":{
> "identity":
> {"methods":["password"],
> "password":{
> "user":{"name":"admin","domain":{"id":"default"},"password":"pass"}}},
> "scope":{"project":{"name":"admin","domain":{"id":"default"}}}}}
snippet of response:
> {'token': {'catalog': [
> ...
> {'endpoints': [{'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'legacy_endpoint_id': None,
> 'name': 'My disabled',
> 'region': None,
> 'url': 'disabled_URL'}],
> 'id': '<SERVICE-ID>',
> 'type': 'testing'},
> ...
Also it gets listed in response of `keystone catalog` (API v2):
> # keystone catalog --service testing
> Service: testing
> +-----------+----------------------------------+
> | Property | Value |
> +-----------+----------------------------------+
> | id | <ENDPOINT-ID> |
> | publicURL | disabled_URL |
> | region | |
> +-----------+----------------------------------+
The same example applies to Service with enabled=false.
See https://github.com/openstack/identity-api/blob/master/openstack-
identity-api/src/markdown/identity-api-v3.md#endpoints-v3endpoints for
description of enabled attribute for Endpoint.
And https://github.com/openstack/identity-api/blob/master/openstack-
identity-api/src/markdown/identity-api-v3.md#services-v3services for
description of Service.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1273867
Title:
Keystone API v3 lists disabled endpoints and services in catalog
Status in OpenStack Identity (Keystone):
New
Bug description:
When endpoint or service has "enabled" attribute set to "False", it is
still listed in catalog (`keystone catalog` command and/or in catalog
part of token.
Create testing service (simplifies output later):
> localhost:5000
> POST /v3/services
> '{"service":{"name":"My svc","type":"testing"}}'
response:
> {'service': {'id': '<SERVICE-ID>',
> 'links': {'self': 'http://localhost:5000/v3/services/<SERVICE-ID>'},
> 'name': 'My svc',
> 'type': 'testing'}}
Create disabled endpoint:
> localhost:5000
> POST /v3/endpoints
> '{"endpoint":{
> "enabled":false,
> "name":"My disabled",
> "interface":"public",
> "url":"disabled_URL",
> "service_id":"<SERVICE-ID>"}}'
response:
> {'endpoint': {'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'links': {'self': 'http://localhost:5000/v3/endpoints/<ENDPOINT-ID>'},
> 'name': 'My disabled',
> 'region': None,
> 'service_id': '<SERVICE-ID>',
> 'url': 'disabled_URL'}}
Now request token and see that it's catalog/endpoints part contains:
> localhost:5000
> POST /v3/auth/tokens
> '{"auth":{
> "identity":
> {"methods":["password"],
> "password":{
> "user":{"name":"admin","domain":{"id":"default"},"password":"pass"}}},
> "scope":{"project":{"name":"admin","domain":{"id":"default"}}}}}
snippet of response:
> {'token': {'catalog': [
> ...
> {'endpoints': [{'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'legacy_endpoint_id': None,
> 'name': 'My disabled',
> 'region': None,
> 'url': 'disabled_URL'}],
> 'id': '<SERVICE-ID>',
> 'type': 'testing'},
> ...
Also it gets listed in response of `keystone catalog` (API v2):
> # keystone catalog --service testing
> Service: testing
> +-----------+----------------------------------+
> | Property | Value |
> +-----------+----------------------------------+
> | id | <ENDPOINT-ID> |
> | publicURL | disabled_URL |
> | region | |
> +-----------+----------------------------------+
The same example applies to Service with enabled=false.
See https://github.com/openstack/identity-api/blob/master/openstack-
identity-api/src/markdown/identity-api-v3.md#endpoints-v3endpoints for
description of enabled attribute for Endpoint.
And https://github.com/openstack/identity-api/blob/master/openstack-
identity-api/src/markdown/identity-api-v3.md#services-v3services for
description of Service.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1273867/+subscriptions
Follow ups
References
