← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #76557

[Bug 1810983] [NEW] domain admin unable to fetch domain

  Thread PreviousDate PreviousThread Next 
Public bug reported:

NOTE: This bug impacts stable/rocky and possibly stable/queens release.
Master branch is not impacted.

The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain" API
no longer works in stable/rocky.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18

This resulted in domain admin unable to fetch his own domain. Looks like
we switched over to oslo_context around stable/queens timeframe. And the
token (TokenModel) is no longer in the auth_context which caused this
rule to fail.

'token.project.domain.id:%(target.domain.id)s'

The problem was corrected recently in the master branch by this patch

https://review.openstack.org/#/c/605539/

where to token is added back to the auth_context.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1810983

Title:
  domain admin unable to fetch domain

Status in OpenStack Identity (keystone):
  New

Bug description:
  NOTE: This bug impacts stable/rocky and possibly stable/queens
  release. Master branch is not impacted.

  The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain"
  API no longer works in stable/rocky.

  https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
  https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18

  This resulted in domain admin unable to fetch his own domain. Looks
  like we switched over to oslo_context around stable/queens timeframe.
  And the token (TokenModel) is no longer in the auth_context which
  caused this rule to fail.

  'token.project.domain.id:%(target.domain.id)s'

  The problem was corrected recently in the master branch by this patch

  https://review.openstack.org/#/c/605539/

  where to token is added back to the auth_context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1810983/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next