yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #10967
[Bug 1265108] Re: Changing default_domain_id doesn't work
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => icehouse-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1265108
Title:
Changing default_domain_id doesn't work
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
If you change the default_domain_id in keystone.conf, it doesn't take
effect everywhere. The problem is that the value is read when modules
are imported, but that happens before the call to
oslo.conf.cfg.CONF().
Here's an example:
keystone.assignment.core reads CONF.identity.default_domain_id during
import to build DEFAULT_DOMAIN:
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/core.py?id=d38942de2f1a32d10a9dbd1d95ddda742ddbdea1#n41
Then later we get into main in keystone-all we finallly call CONF():
http://git.openstack.org/cgit/openstack/keystone/tree/bin/keystone-
all?id=d38942de2f1a32d10a9dbd1d95ddda742ddbdea1#n107
so what's going to happen is that DEFAULT_DOMAIN will get a domain_id
of the default domain ID and later CONF.identity.default_domain_id
will get set to whatever the user had set it to.
You can see it in the debugger by setting a breakpoint after CONF()
and checking the value of the config option and the DEFAULT_DOMAIN.
I'm not sure what all effects this would have.
The fix is to change the keystone server code so that it doesn't read
the config value until after CONF(), which means not at import time.
----
I looked through the rest of the code and here's where a static
default_domain_id is used, and my guess as to what affect it will
have:
o keystone.assignment.controllers
- In class Tenant(controller.V2Controller)
- get_projects_for_token(),
used to filter a list of tenants,
so will get tenants from wrong domain or no tenants/domain not found.
- get_project_by_name(),
passed to self.assignment_api.get_project_by_name()
so using v2 API will get project from wrong domain or project/domain not found
- In class Role(controller.V2Controller)
- get_role_refs()
will get roles from wrong domain or no roles
- In class DomainV3(controller.V3Controller):
- delete_domain()
would allow deleting the default domain when should not
o keystone.assignment.core
- Creates a DEFAULT_DOMAIN with { 'id': CONF.identity.default_domain_id },
so the id of the default domain will be incorrect.
- this is used by keystone.assignment.backends.ldap,
- get_domain(), will return domain with incorrect ID
- list_domains(), will return domain with incorrect ID
o keystone.common.sql.migrate_repo.versions.008_create_default_domain
- will create domain with wrong ID on upgrade
- or fail to delete the domain on downgrade
o keystone.common.sql.migrate_repo.versions.016_normalize_domain_ids
- will put users with wrong domain
o keystone.common.controller
- in class V2Controller
- in _normalize_domain_id(), will fill in domain ID with wrong domain
- in class V3Controller(V2Controller)
- _get_domain_id_for_request
will get wrong domain ID for admin token
will get wrong domain ID when no domain in token
o keystone.identity.controllers
- in class User(controller.V2Controller)
- in get_user_by_name(),
will get user from wrong domain or domain doesn't exist
o keystone.token.providers.common
- in class BaseProvider(provider.Provider)
- in _assert_default_domain(),
- will allow a user in non-default domain (for v2 tokens)
o keystone.token.controllers
- in class Auth(controller.V2Controller),
- in _authenticate_local()
will get user from wrong domain or won't find user
(so authentication would fail)
- in _authenticate_external()
will get user from wrong domain
- in _get_project_id_from_auth
will get project from wrong domain or won't find project
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1265108/+subscriptions
References
