yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1596869] Re: APIv3 compatibility broken in Mitaka and Liberty

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "A.Ojea" <itsuugo@xxxxxxxxx>
Date: Wed, 29 Jun 2016 06:14:55 -0000
Reply-to: Bug 1596869 <1596869@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I see my fault now, I was supposing that "default" in liberty was the
Name field  and it's the ID, and in Mitaka following the docs the
"default" domain is the name but the ID is an uuid randomly generated.

Apologize for any inconvenience and appreciate your help @stevemar and
@guang-yee.



** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1596869

Title:
  APIv3 compatibility broken in Mitaka and Liberty

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Current API documentation [1] uses the fields   "domain": { "id":
  "default" }, to select a domain.

  This call works in Liberty as you can see in the following snippet:

  curl -i   -H "Content-Type: application/json"   -d '
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "admin",
            "domain": { "id": "default" },
            "password": "admin"
          }
        }
      },
      "scope": {
        "project": {
          "name": "admin",
          "domain": { "id": "default" }
        }
      }
    }
  }'   http://172.17.0.3:5000/v3/auth/tokens ; echo
  HTTP/1.1 201 Created
  X-Subject-Token: 8e861d59fb1847a388b27ab7150f2d15
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  Content-Type: application/json
  Content-Length: 2794
  X-Openstack-Request-Id: req-2fcb81ac-4adf-4d0d-85f9-41d355c0606d
  Date: Tue, 28 Jun 2016 08:59:42 GMT

  {"token": {"methods": ["password"], "roles": [{"id":
  "b1abb292e4af4ead9a1b62b4a6e39ba4", "name": "__member__"}, {"id":
  "f071d23c5131434e8823101f3b8e33db", "name": "admin"}], "expires_at":
  "2016-06-28T09:59:42.646127Z", "project": {"domain": {"id": "default",
  "name": "Default"}, "id": "890fc0394fe34024b62aab12fb335960", "name":
  "admin"}, "catalog": [{"..."}], "extras": {}, "user": {"domain":
  {"id": "default", "name": "Default"}, "id":
  "d1b7876ff28e4db29296797296daecfe", "name": "admin"}, "audit_ids":
  ["7p_bhw8tTvqAOjKRpkHE2Q"], "issued_at":
  "2016-06-28T08:59:42.646167Z"}}

  but it's turned out that in mitaka it fails if you use the id field
  with the name of the domain:

  curl -i   -H "Content-Type: application/json"   -d '
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "admin",
            "domain": { "id": "default" },
            "password": "openstack"
          }
        }
      },
      "scope": {
        "project": {
          "name": "admin",
          "domain": { "id": "default" }
        }
      }
    }
  }'   http://localhost:5000/v3/auth/tokens ; echo
  HTTP/1.1 401 Unauthorized
  Date: Tue, 28 Jun 2016 09:01:04 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-4898044b-25d4-4b9d-96c4-d823c0107cb0
  WWW-Authenticate: Keystone uri="http://localhost:5000";
  Content-Length: 114
  Content-Type: application/json

  {"error": {"message": "The request you have made requires
  authentication.", "code": 401, "title": "Unauthorized"}}

  in order to work you need to use name instead id:

  curl -i   -H "Content-Type: application/json"   -d '
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "admin",
            "domain": { "name": "default" },
            "password": "openstack"
          }
        }
      },
      "scope": {
        "project": {
          "name": "admin",
          "domain": { "name": "default" }
        }
      }
    }
  }'   http://localhost:5000/v3/auth/tokens ; echo
  TTP/1.1 201 Created
  Date: Tue, 28 Jun 2016 09:01:53 GMT
  Server: Apache/2.4.7 (Ubuntu)
  X-Subject-Token: 0c293d9ceeba4a9f8c1a9edba99a1b11
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-1a414584-472f-4b87-9981-a838e3df6f4a
  Content-Length: 4155
  Content-Type: application/json

  {"token": {"methods": ["password"], "roles": [{"id":
  "444fc66b35834eafb3936dca445b56de", "name": "admin"}], "expires_at":
  "2016-06-28T10:01:53.680623Z", "project": {"domain": {"id":
  "0a686f9a064c46eda176a8670d2af12e", "name": "default"}, "id":
  "7c34e27bfb53415daef0b1696886fec5", "name": "admin"}, "catalog":
  [{"...}], "user": {"domain": {"id":
  "0a686f9a064c46eda176a8670d2af12e", "name": "default"}, "id":
  "bcc79501b12948d1b48540bea231b89c", "name": "admin"}, "audit_ids":
  ["U-uBxUKqStWW557xSCmgKA"], "issued_at":
  "2016-06-28T09:01:53.680711Z"}}

  breaking all the compatibility

  [1]
  http://docs.openstack.org/developer/keystone/api_curl_examples.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1596869/+subscriptions
References

[Bug 1596869] [NEW] APIv3 compatibility broken in Mitaka and Liberty
From: A.Ojea, 2016-06-28