yahoo-eng-team team mailing list archive

[Prosunjit Biswas <prosun.csedu@xxxxxxxxx>]

On the findings of comment #2, when requested for a token for

(1). project scope, existing token generation method returns token under valid credential
	Token request curl command  and returned token is available here: https://gist.github.com/Prosunjit/f5b859089ec340dd6584

(2). domain scope, existing token generation method returns token under valid credential.
	Token request curl command  and returned token is available here: https://gist.github.com/Prosunjit/7bfab9d4c23379da21dc

(3). When both project and domain scope is presented, exiting code returns 400 as specified in the API.
	Token request curl command and return status is available here: https://gist.github.com/Prosunjit/52e0f129e7836a5a0c3c

Code Review: 
	
In file: keystone/keystone/auth/controllers.py 
In function: authenticate_for_token

AuthInfo.create() command generates token for incoming token request.
When both domain and project scope are present existing code DO check
this in the following code and return output following the
specification.

   def _validate_and_normalize_scope_data(self):

        """Validate and normalize scope data."""

        if 'scope' not in self.auth:

            return

        if sum(['project' in self.auth['scope'],

                'domain' in self.auth['scope'],

                'unscoped' in self.auth['scope'],

                'OS-TRUST:trust' in self.auth['scope']]) != 1:

            raise exception.ValidationError(

                attribute='project, domain, OS-TRUST:trust or unscoped',

                target='scope')
				


So, I think, this bug fails to demonstrate its existence.


** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1489724

Title:
  The check about project scope and domain scope has a problem

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  The keystone.common.authorization.token_to_auth_context function has part check code about scope,
   it as follows:
  ---
  def token_to_auth_context(token):
      ...
      if token.project_scoped:
          auth_context['project_id'] = token.project_id
      elif token.domain_scoped:
          auth_context['domain_id'] = token.domain_id
      else:
          LOG.debug('RBAC: Proceeding without project or domain scope')
     ...
  ---

  However if the token includes  the project_scoped and domain_scoped at the same time,it should raise an exception.
  But now the above check code does not include the check when the project_scoped and domain_scoped exist at the same time .
  Reference the api manual has the following description about scope.
  ---
  The authorization scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain. 
  ---

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1489724/+subscriptions