yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1431015] Re: v3/users or groups calls not working without domain_id

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date: Thu, 12 Mar 2015 18:06:33 -0000
Reply-to: Bug 1431015 <1431015@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This was not an unscoped token. Requested as follows:

curl -k -i -X POST https://127.0.0.1:5000/v3/auth/tokens -H "Accept:
application/json" -H "Content-Type: application/json" -d '{"auth":
{"scope": {"project": {"name": "ibm-default", "domain": {"name":
"Default"}}}, "identity": {"methods": ["password"], "password": {"user":
{"domain": {"name": "Default"}, "name": "root", "password":
"passw0rd"}}}}}'

** Changed in: keystone
       Status: Invalid => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1431015

Title:
  v3/users or groups calls not working without domain_id

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The keystone.common.controller._get_domain_id_for_list_request comment says the below:
          """Get the domain_id for a v3 list call.

          If we running with multiple domain drivers, then the caller must
          specify a domain_id either as a filter or as part of the token scope.

          """

  But keystone instead of pulling the domain information from the token
  scope (the "or" in that statement), keystone fails with an HTTP 401 if
  you don't explicitly indicate the domain with the domain_id query
  parameter, as shown with the following commands:

  [root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
  HTTP/1.1 401 Unauthorized
  content-length: 114
  vary: X-Auth-Token
  server: Apache/2.4.6 (Red Hat) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
  date: Wed, 11 Mar 2015 20:50:31 GMT
  content-type: application/json
  www-authenticate: Keystone uri="https://ip9-114-226-167.pok.stglabs.ibm.com:5000";

  {"error": {"message": "The request you have made requires
  authentication.", "code": 401, "title": "Unauthorized"}}

  [root@mysystem ~]# curl -k -X GET https://127.0.0.1:5000/v3/auth/tokens -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" -H "X-Subject-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" | python -mjson.tool
  {
      "token": {
  ...
          "project": {
              "domain": {
                  "id": "default",
                  "name": "Default"
              },
              "id": "0e2df62a46044405bb63be16ab9e2177",
              "name": "ibm-default"
          },
  ...
          "user": {
              "domain": {
                  "id": "default",
                  "name": "Default"
              },
              "id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9",
              "name": "root"
          }
      }
  }

  [root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups?domain_id=default -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
  HTTP/1.1 200 OK
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1431015/+subscriptions

References

[Bug 1431015] [NEW] v3/users or groups calls not working without domain_id
From: Matthew Edmonds, 2015-03-11