yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1489724] [NEW] The check about project scope and domain scope has a problem

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: majianjun <mjjun@xxxxxxxxxxxxxx>
Date: Fri, 28 Aug 2015 06:16:43 -0000
Reply-to: Bug 1489724 <1489724@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The keystone.common.authorization.token_to_auth_context function has part check code about scope,
 it as follows:
---
def token_to_auth_context(token):
    ...
    if token.project_scoped:
        auth_context['project_id'] = token.project_id
    elif token.domain_scoped:
        auth_context['domain_id'] = token.domain_id
    else:
        LOG.debug('RBAC: Proceeding without project or domain scope')
   ...
---

However if the token includes  the project_scoped and domain_scoped at the same time,it should raise an exception.
But now the above check code does not include the check when the project_scoped and domain_scoped exist at the same time .
Reference the api manual has the following description about scope.
---
The authorization scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain. 
---

** Affects: keystone
     Importance: Undecided
     Assignee: majianjun (mjjun)
         Status: In Progress

** Changed in: keystone
       Status: New => In Progress

** Changed in: keystone
     Assignee: (unassigned) => majianjun (mjjun)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1489724

Title:
  The check about project scope and domain scope has a problem

Status in Keystone:
  In Progress

Bug description:
  The keystone.common.authorization.token_to_auth_context function has part check code about scope,
   it as follows:
  ---
  def token_to_auth_context(token):
      ...
      if token.project_scoped:
          auth_context['project_id'] = token.project_id
      elif token.domain_scoped:
          auth_context['domain_id'] = token.domain_id
      else:
          LOG.debug('RBAC: Proceeding without project or domain scope')
     ...
  ---

  However if the token includes  the project_scoped and domain_scoped at the same time,it should raise an exception.
  But now the above check code does not include the check when the project_scoped and domain_scoped exist at the same time .
  Reference the api manual has the following description about scope.
  ---
  The authorization scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain. 
  ---

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1489724/+subscriptions

Follow ups

[Bug 1489724] Re: The check about project scope and domain scope has a problem
From: Prosunjit Biswas, 2016-03-21