yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1693704] Re: Unable to list federated projects with domain-scoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed, 28 Jun 2017 16:52:30 -0000
Reply-to: Bug 1693704 <1693704@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking this as invalid based on the findings above, but we can keep
using the thread for discussion if you have more questions about how the
various OS-FEDERATION APIs work.

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1693704

Title:
  Unable to list federated projects with domain-scoped token

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  When I got the federated user project list, the error is as bellow:

  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi     result = method(req, **params)
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in inner
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi     return f(self, request, *args, **kwargs)
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/federation/controllers.py", line 480, in list_projects_for_user
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi     request.auth_context['group_ids'])
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi KeyError: 'group_ids'
  2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi 

  and I have got the token scoped in domain.

  My mapping rule is as bellow:

  [
  {
      "local": [
                  {
                     "user": {
                          "name": "{0}",
                          "domain": {
                              "name": "{1}"
                          },
                          "type": "local"
                      }
                  }
              ],
      "remote": [
          {
              "type": "openstack_user"
          },
          {
              "type": "openstack_user_domain"
          }
      ]
  }
  ]

  The error is that token is scoped in domain and 'group_ids' is not in the auth_context. So we should verify whether
  it is in the context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1693704/+subscriptions

References

[Bug 1693704] [NEW] fedetation list porjects for user
From: yangweiwei, 2017-05-26