yahoo-eng-team team mailing list archive

[Lance Bragstad <lbragstad@xxxxxxxxx>]

This isn't an issue anymore since we overhauled the token model during
Rocky and simplified the entire token provider API. The new token model
[0] doesn't have a property for is_admin_project, so it can't default to
True or False. The code to translate an instance of a token model to a
v3 API response has logic to derive is_admin_project, but it's
configuration driven [1].

I think it's safe to close this.

[0] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py#n33
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/render_token.py#n94

** Changed in: keystone
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1652012

Title:
  token model assumes a token is is_admin_project

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Our token model code will return a default of True for
  is_admin_project if that attribute is not defined [0]. The comment
  next to this says this is for backward compatibility - but this seems
  inherently dangerous. We should investigate what changes are needed
  (if any) to make the default False.

  UPDATE: We need this to default to True for the time being while we deal
  with #968696. Do not change this to False at this time.

  [0]
  https://github.com/openstack/keystone/blob/686f9d583eaa5f015d6b8b995c2f4243392ffbce/keystone/models/token_model.py#L195-L198

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1652012/+subscriptions