yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #59852
[Bug 1547684] Re: Attribute error on Token object when using domain scoped token
This is an improperly written keystone rule. Marking oslo.policy as
Invalid.
The fix is to change:
token.is_admin_project:True
to:
is_admin_project:True
Note to affected users, we typically do not backport changes to config
files, so please update the policy files accordingly.
** Also affects: keystone
Importance: Undecided
Status: New
** Changed in: oslo.policy
Status: New => Invalid
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => Medium
** Changed in: keystone
Milestone: None => ocata-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1547684
Title:
Attribute error on Token object when using domain scoped token
Status in django-openstack-auth:
Invalid
Status in OpenStack Identity (keystone):
Triaged
Status in oslo.policy:
Invalid
Bug description:
When making a policy check from Django OpenStack Auth with a domain
scoped token, I'm seeing this error:
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute
'__getitem__'
This only occurs when using the latest v3 policy file from Keystone [1], which currently contains this line:
"cloud_admin": "role:admin and (token.is_admin_project:True or
domain_id:admin_domain_id)",
When I revert that line back to what it is for stable/liberty, the
issue goes away:
"cloud_admin": "rule:admin_required and
domain_id:admin_domain_id",
So there may be a case that's currently not handled when using the "token" string in policy files.
Info on variables that are set when calling the enforce method of oslo.policy [2]:
"if not enforcer_scope.enforce(action, target, credentials):"
(Pdb) action
'identity:list_projects'
(Pdb) target
{'user_id': u'b2db130f48ac49c28d055ad65248f07e', 'user.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'group.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'project.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'project_id': u'e8758f97a4ca4ec585e8d940c1acc125', 'domain_id': u'aca9b87dde25410da94726bb0c6a728d'}
(Pdb) credentials
{'username': u'domain_admin', 'token': <openstack_auth.user.Token object at 0xb382a78c>, 'project_name': None, 'user_id': u'b2db130f48ac49c28d055ad65248f07e', 'roles': [u'admin'], 'is_admin': True, 'project_id': None, 'domain_id': u'aca9b87dde25410da94726bb0c6a728d'}
Version of oslo.policy:
$ pip show oslo.policy
---
Metadata-Version: 2.0
Name: oslo.policy
Version: 1.4.0
Summary: Oslo Policy library
Version of DOA:
$ pip show django-openstack-auth
---
Metadata-Version: 2.0
Name: django-openstack-auth
Version: 2.1.1
Summary: Django authentication backend for use with OpenStack Identity
[1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
[2] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L515
Full stack trace from Horizon when using the domain scoped token and logging in as a domain admin of a domain other that the default domain (requires this patch to reproduce from Horizon: https://review.openstack.org/#/c/148082/):
2016-02-19 19:54:20.935395 File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/identity/projects/views.py", line 84, in get_data
2016-02-19 19:54:20.935428 self.request):
2016-02-19 19:54:20.935449 File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/policy.py", line 24, in check
2016-02-19 19:54:20.935470 return policy_check(actions, request, target)
2016-02-19 19:54:20.935489 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/policy.py", line 155, in check
2016-02-19 19:54:20.935510 enforcer[scope], action, target, domain_credentials)
2016-02-19 19:54:20.935530 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/policy.py", line 169, in _check_credentials
2016-02-19 19:54:20.935559 if not enforcer_scope.enforce(action, target, credentials):
2016-02-19 19:54:20.935579 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py", line 551, in enforce
2016-02-19 19:54:20.935599 result = self.rules[rule](target, creds, self)
2016-02-19 19:54:20.935619 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 160, in __call__
2016-02-19 19:54:20.935639 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935658 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 204, in __call__
2016-02-19 19:54:20.935679 return enforcer.rules[self.match](target, creds, enforcer)
2016-02-19 19:54:20.935698 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 125, in __call__
2016-02-19 19:54:20.935727 if not rule(target, cred, enforcer):
2016-02-19 19:54:20.935747 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 160, in __call__
2016-02-19 19:54:20.935767 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935786 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 311, in __call__
2016-02-19 19:54:20.935806 return self._find_in_dict(creds, path_segments, match)
2016-02-19 19:54:20.935826 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 292, in _find_in_dict
2016-02-19 19:54:20.935846 return self._find_in_dict(test_value, path_segments, match)
2016-02-19 19:54:20.935866 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 283, in _find_in_dict
2016-02-19 19:54:20.935886 test_value = test_value[key]
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute '__getitem__'
To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1547684/+subscriptions
