yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1793027] [NEW] Flask doesn't normalize domains sanely in some cases

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Mon, 17 Sep 2018 22:06:46 -0000
Reply-to: Bug 1793027 <1793027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Under webob, domain normalization (for creation of some resources)
resulted in a few possible options:

  * Domain ID present in ref -> no change to ref
  
  * Domain ID not present, domain scoped token ->
    ref['domain_id'] = scope domain id

  * Domain ID not present, "admin" token -> raise ValidationError

  * Domain ID not present, project scoped token -> default domain
    [Deprecated functionality]

Under flask, only the first scenario worked. Keystone, Tempest, and Heat
all only test for actual explicit domain id specified on creation
(groups notably). Shade/SDK tests a broader form and caught this
error[0][1] (reported by Monty Taylor)

[0] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/testr_results.html.gz
[1] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/controller/logs/screen-keystone.txt.gz?level=ERROR

** Affects: keystone
     Importance: Critical
     Assignee: Morgan Fainberg (mdrnstm)
         Status: In Progress

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Critical

** Changed in: keystone
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Changed in: keystone
    Milestone: None => stein-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1793027

Title:
  Flask doesn't normalize domains sanely in some cases

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Under webob, domain normalization (for creation of some resources)
  resulted in a few possible options:

    * Domain ID present in ref -> no change to ref
    
    * Domain ID not present, domain scoped token ->
      ref['domain_id'] = scope domain id

    * Domain ID not present, "admin" token -> raise ValidationError

    * Domain ID not present, project scoped token -> default domain
      [Deprecated functionality]

  Under flask, only the first scenario worked. Keystone, Tempest, and
  Heat all only test for actual explicit domain id specified on creation
  (groups notably). Shade/SDK tests a broader form and caught this
  error[0][1] (reported by Monty Taylor)

  [0] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/testr_results.html.gz
  [1] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/controller/logs/screen-keystone.txt.gz?level=ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1793027/+subscriptions

Follow ups

[Bug 1793027] Re: Flask doesn't normalize domains sanely in some cases
From: OpenStack Infra, 2018-09-18