yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1797939] [NEW] Example in section "Create system-scoped token" is wrong

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Magnus Lööf <magnus.loof@xxxxxxxxx>
Date: Mon, 15 Oct 2018 17:22:44 -0000
Reply-to: Bug 1797939 <1797939@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:


This bug tracker is for errors with the documentation, use the following
as a template and remove or add fields as you see fit. Convert [ ] into
[x] to check boxes:

- [x] This doc is inaccurate in this way: The example for Create system-
scoped token says to use `--os-system` argument to the `openstack` cli
tool. This does not work in:

```
$ openstack --version
openstack 3.16.1
```

```
$ openstack --help | grep system
                 [--os-system-scope <auth-system-scope>]
  --os-system-scope <auth-system-scope>
                        With password: Scope for system operations With
                        v3oidcauthcode: Scope for system operations With
                        v3oidcpassword: Scope for system operations With
                        v3password: Scope for system operations With
                        v3oidcaccesstoken: Scope for system operations With
                        token: Scope for system operations With
                        v3oidcclientcredentials: Scope for system operations
                        With v3token: Scope for system operations With v3totp:
                        Scope for system operations With
                        v3applicationcredential: Scope for system operations
...
```

Also, I cannot figure out how to actually do what the example suggest:
issue a token scoped to the system, which is what I want to remove this
deprecation warning in the logs:

```
/usr/lib/python2.7/site-packages/oslo_policy/policy.py:896: UserWarning: Policy identity:list_domains failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
  warnings.warn(msg)
```

- [ ] This is a doc addition request.
- [ ] I have a fix to the document that I can paste below including example: input and output. 

If you have a troubleshooting or support issue, use the following
resources:

 - Ask OpenStack: http://ask.openstack.org
 - The mailing list: http://lists.openstack.org
 - IRC: 'openstack' channel on Freenode

-----------------------------------
Release:  on 2018-10-09 13:15
SHA: 86cc778774bc6a561911be05075b4e3cdf6ef2b0
Source: https://git.openstack.org/cgit/openstack/keystone/tree/doc/source/admin/identity-tokens.rst
URL: https://docs.openstack.org/keystone/rocky/admin/identity-tokens.html

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: doc

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1797939

Title:
  Example in section "Create system-scoped token" is wrong

Status in OpenStack Identity (keystone):
  New

Bug description:

  This bug tracker is for errors with the documentation, use the
  following as a template and remove or add fields as you see fit.
  Convert [ ] into [x] to check boxes:

  - [x] This doc is inaccurate in this way: The example for Create
  system-scoped token says to use `--os-system` argument to the
  `openstack` cli tool. This does not work in:

  ```
  $ openstack --version
  openstack 3.16.1
  ```

  ```
  $ openstack --help | grep system
                   [--os-system-scope <auth-system-scope>]
    --os-system-scope <auth-system-scope>
                          With password: Scope for system operations With
                          v3oidcauthcode: Scope for system operations With
                          v3oidcpassword: Scope for system operations With
                          v3password: Scope for system operations With
                          v3oidcaccesstoken: Scope for system operations With
                          token: Scope for system operations With
                          v3oidcclientcredentials: Scope for system operations
                          With v3token: Scope for system operations With v3totp:
                          Scope for system operations With
                          v3applicationcredential: Scope for system operations
  ...
  ```

  Also, I cannot figure out how to actually do what the example suggest:
  issue a token scoped to the system, which is what I want to remove
  this deprecation warning in the logs:

  ```
  /usr/lib/python2.7/site-packages/oslo_policy/policy.py:896: UserWarning: Policy identity:list_domains failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
    warnings.warn(msg)
  ```

  - [ ] This is a doc addition request.
  - [ ] I have a fix to the document that I can paste below including example: input and output. 

  If you have a troubleshooting or support issue, use the following
  resources:

   - Ask OpenStack: http://ask.openstack.org
   - The mailing list: http://lists.openstack.org
   - IRC: 'openstack' channel on Freenode

  -----------------------------------
  Release:  on 2018-10-09 13:15
  SHA: 86cc778774bc6a561911be05075b4e3cdf6ef2b0
  Source: https://git.openstack.org/cgit/openstack/keystone/tree/doc/source/admin/identity-tokens.rst
  URL: https://docs.openstack.org/keystone/rocky/admin/identity-tokens.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1797939/+subscriptions
Follow ups

[Bug 1797939] Re: Example in section "Create system-scoped token" is wrong
From: OpenStack Infra, 2018-10-19