yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1582376] Re: setting user's default_project_id to a domain ID yield HTTP 400 instead of unscoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1582376@xxxxxxxxxxxxxxxxxx>
Date: Fri, 20 May 2016 23:46:31 -0000
Reply-to: Bug 1582376 <1582376@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/317792
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8a7133f9506e0675ee5e5da9372d9be671eaaddf
Submitter: Jenkins
Branch:    master

commit 8a7133f9506e0675ee5e5da9372d9be671eaaddf
Author: Guang Yee <guang.yee@xxxxxxx>
Date:   Tue May 17 18:10:59 2016 -0700

    make sure default_project_id is not domain on user creation and update
    
    Make sure user cannot accidentially set the default_project_id to a domain_id.
    Invalid default_project_id is still allowed for backward compatibility.
    
    Change-Id: I7dd33fdc299fa465333ca1d18819ef0537752f16
    Closes-Bug: 1582376


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1582376

Title:
  setting user's default_project_id to a domain ID yield HTTP 400
  instead of unscoped token

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Per spec, if user's default_project_id is invalid (i.e. either it is
  bogus, disabled, or user have no roles assigned on it), it should be
  ignored at token request. In otherwise, it should result in an
  unscoped token.

  With the domain-is-project changes recently, if you accidentally set
  the user's default_project_id to a domain_id, you will get an HTTP 400
  on token request.

  Steps to reproduce:

  1. set the user default_project_id to an existing domain_id
  2. on token request, HTTP 400 is returned

  $ curl -k -d '{"auth":{"identity": {"methods":["password"],"password":{"user": {"name": "foo","password": "bar","domain":{"id":"default"}}}}}}' -H "Content-type: application/json" http://10.0.2.15:5000/v3/auth/tokens |python -mjson.tool
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   258  100   101  100   157    229    357 --:--:-- --:--:-- --:--:--   357
  {
      "error": {
          "code": 400,
          "message": "obj
  ect of type 'NoneType' has no len()",
          "title": "Bad Request"
      }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1582376/+subscriptions

References

[Bug 1582376] [NEW] setting user's default_project_id to a domain ID yield HTTP 400 instead of unscoped token
From: Guang Yee, 2016-05-16