yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1493126] Re: openstack group create fails while using admin token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date: Sat, 19 Sep 2015 19:52:39 -0000
Reply-to: Bug 1493126 <1493126@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I do not consider this a bug.  We state that you must either explicitly
supply the domain_id of a group in the entity passed to the create call
OR use a domain scoped token.  Since the ADMIN token is not a domain
scoped token, you must provide it in the entity itself (which, to be
honest, should be the recommended way of doing it anyway).

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1493126

Title:
  openstack group create fails while using admin token

Status in Keystone:
  Invalid

Bug description:
  While using --os-token=ADMIN_TOKEN rather then admin user credentials
  fails with error message:

  $ openstack --os-token=<ADMIN_TOKEN> group create "qwerty"
  ERROR: openstack The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-8b45e<...>)

  OS_USERNAME and OS_PASSWORD are set to ""

  Keystone log contains:

  2015-09-07 19:30:50.514850 14499 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /opt/stack/keystone/keystone/middleware/core.py:209
  2015-09-07 19:30:50.533697 14499 INFO keystone.common.wsgi [-] POST http://172.16.51.28:5000/v3/groups
  2015-09-07 19:30:50.536504 14499 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
  2015-09-07 19:30:50.539266 14499 WARNING keystone.common.utils [-] Couldn't find the auth context.
  2015-09-07 19:30:50.547398 14499 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from <IP>

  Using admin credentials works fine.

  ---------------
  Investigation gave me that the root cause of this is that during group creation [0] the token information is being extracted from context [1] which is {empty} for request authenticated using ADMIN_TOKEN [2]

  [0] https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L300
  [1] https://github.com/openstack/keystone/blob/master/keystone/common/utils.py#L523-L525
  [2] https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L72

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1493126/+subscriptions

References

[Bug 1493126] [NEW] openstack group create fails while using admin token
From: Alexander Makarov, 2015-09-07