yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #60158
[Bug 1547684] Re: Attribute error on Token object when using domain scoped token
Reviewed: https://review.openstack.org/411563
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef48072d94f780ebaacee8c3ddf02a68193fa74d
Submitter: Jenkins
Branch: master
commit ef48072d94f780ebaacee8c3ddf02a68193fa74d
Author: Steve Martinelli <s.martinelli@xxxxxxxxx>
Date: Thu Dec 15 17:48:16 2016 -0800
Fix cloud_admin rule and ensure only project tokens can be cloud admin
The current rule fails to load with oslo.policy, the correct
value used to determine the admin project for the cloud_admin should
simply be: `is_admin_project:True`, since that is what is stored
in oslo.context.
This problem was masking a more serious issue that domain admin tokens
could be misinterpreted as cloud admin tokens.
Change-Id: I3ea562c01e06e6c519fdaec3ab6e1dac204ced71
Closes-Bug: 1547684
Closes-Bug: 1651989
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1547684
Title:
Attribute error on Token object when using domain scoped token
Status in django-openstack-auth:
Invalid
Status in OpenStack Identity (keystone):
Fix Released
Status in oslo.policy:
Invalid
Bug description:
When making a policy check from Django OpenStack Auth with a domain
scoped token, I'm seeing this error:
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute
'__getitem__'
This only occurs when using the latest v3 policy file from Keystone [1], which currently contains this line:
"cloud_admin": "role:admin and (token.is_admin_project:True or
domain_id:admin_domain_id)",
When I revert that line back to what it is for stable/liberty, the
issue goes away:
"cloud_admin": "rule:admin_required and
domain_id:admin_domain_id",
So there may be a case that's currently not handled when using the "token" string in policy files.
Info on variables that are set when calling the enforce method of oslo.policy [2]:
"if not enforcer_scope.enforce(action, target, credentials):"
(Pdb) action
'identity:list_projects'
(Pdb) target
{'user_id': u'b2db130f48ac49c28d055ad65248f07e', 'user.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'group.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'project.domain_id': u'aca9b87dde25410da94726bb0c6a728d', 'project_id': u'e8758f97a4ca4ec585e8d940c1acc125', 'domain_id': u'aca9b87dde25410da94726bb0c6a728d'}
(Pdb) credentials
{'username': u'domain_admin', 'token': <openstack_auth.user.Token object at 0xb382a78c>, 'project_name': None, 'user_id': u'b2db130f48ac49c28d055ad65248f07e', 'roles': [u'admin'], 'is_admin': True, 'project_id': None, 'domain_id': u'aca9b87dde25410da94726bb0c6a728d'}
Version of oslo.policy:
$ pip show oslo.policy
---
Metadata-Version: 2.0
Name: oslo.policy
Version: 1.4.0
Summary: Oslo Policy library
Version of DOA:
$ pip show django-openstack-auth
---
Metadata-Version: 2.0
Name: django-openstack-auth
Version: 2.1.1
Summary: Django authentication backend for use with OpenStack Identity
[1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
[2] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L515
Full stack trace from Horizon when using the domain scoped token and logging in as a domain admin of a domain other that the default domain (requires this patch to reproduce from Horizon: https://review.openstack.org/#/c/148082/):
2016-02-19 19:54:20.935395 File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/identity/projects/views.py", line 84, in get_data
2016-02-19 19:54:20.935428 self.request):
2016-02-19 19:54:20.935449 File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/policy.py", line 24, in check
2016-02-19 19:54:20.935470 return policy_check(actions, request, target)
2016-02-19 19:54:20.935489 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/policy.py", line 155, in check
2016-02-19 19:54:20.935510 enforcer[scope], action, target, domain_credentials)
2016-02-19 19:54:20.935530 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/policy.py", line 169, in _check_credentials
2016-02-19 19:54:20.935559 if not enforcer_scope.enforce(action, target, credentials):
2016-02-19 19:54:20.935579 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py", line 551, in enforce
2016-02-19 19:54:20.935599 result = self.rules[rule](target, creds, self)
2016-02-19 19:54:20.935619 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 160, in __call__
2016-02-19 19:54:20.935639 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935658 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 204, in __call__
2016-02-19 19:54:20.935679 return enforcer.rules[self.match](target, creds, enforcer)
2016-02-19 19:54:20.935698 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 125, in __call__
2016-02-19 19:54:20.935727 if not rule(target, cred, enforcer):
2016-02-19 19:54:20.935747 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 160, in __call__
2016-02-19 19:54:20.935767 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935786 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 311, in __call__
2016-02-19 19:54:20.935806 return self._find_in_dict(creds, path_segments, match)
2016-02-19 19:54:20.935826 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 292, in _find_in_dict
2016-02-19 19:54:20.935846 return self._find_in_dict(test_value, path_segments, match)
2016-02-19 19:54:20.935866 File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 283, in _find_in_dict
2016-02-19 19:54:20.935886 test_value = test_value[key]
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute '__getitem__'
To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1547684/+subscriptions
