← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1479578] Re: Domain-specific config breaks some ops

 

Reviewed:  https://review.openstack.org/282080
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c73a81e61d059f4ab9e9cc29bad5528e1459444b
Submitter: Jenkins
Branch:    master

commit c73a81e61d059f4ab9e9cc29bad5528e1459444b
Author: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date:   Thu Feb 18 17:02:09 2016 -0500

    Allow user list without specifying domain
    
    With a single domain environment, users can be listed without
    specifying a domain. When moving to a multiple domain environment,
    this remains true for domain-scoped tokens but not for project-scoped
    tokens. Project-scoped tokens currently only work if the domain_id
    query parameter is specified. This has been a source of pain to many
    users, and is unnecessary. Just as the desired domain is assumed to be
    that to which the token is scoped when the token is domain-scoped,
    keystone can assume the desired domain is that of the project's domain
    when the token is project-scoped.
    
    Change-Id: I1d06935c06661109a523c5b4547ff01f23235a89
    Closes-Bug: 1479578


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1479578

Title:
  Domain-specific config breaks some ops

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  I set up a multi-domain config on my devstack and tried to do a
  simple:

  $ openstack user list

  with project-scoped environment variables (in fact I downloaded the
  admin-openrc.sh from Horizon).

  This results in:

  ERROR: openstack The request you have made requires authentication.
  (Disable debug mode to suppress these details.) (HTTP 401) (Request-
  ID: req-b687e823-9896-4905-83d3-b1e45fa966ed)

  If I disable domain-specific configs in the keystone.conf, it works
  again.

  If it *is* enabled, I can force a domain-specific request using
  something like:

  $ OS_TENANT_ID= OS_TENANT_NAME= OS_PROJECT_NAME= openstack --os-
  domain-name <name> user list

  However if I specify the default domain then I get this:

  ERROR: openstack User 0fa9633d884a42448bbd386778ca6b87 has no access
  to domain default (Disable debug mode to suppress these details.)
  (HTTP 401) (Request-ID: req-65e053e4-33c2-4b7b-aedf-30d3ef88735c)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1479578/+subscriptions


References