yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #76558
[Bug 1810983] Re: domain admin unable to fetch domain
On master, this is a duplicate bug [0], which has already been fixed
[1].
Keeping this as a separate bug for now since the fix to the stable
branches are going to be different. We can't backport the fix to master
because it requires updated versions of oslo.policy.
[0] https://bugs.launchpad.net/keystone/+bug/1794864
[1] https://review.openstack.org/#/c/605539/
** Also affects: keystone/rocky
Importance: Undecided
Status: New
** Also affects: keystone/queens
Importance: Undecided
Status: New
** Changed in: keystone/queens
Status: New => Triaged
** Changed in: keystone/rocky
Status: New => Triaged
** Changed in: keystone/queens
Importance: Undecided => Medium
** Changed in: keystone/rocky
Importance: Undecided => Medium
** Changed in: keystone
Status: New => Fix Committed
** Changed in: keystone
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1810983
Title:
domain admin unable to fetch domain
Status in OpenStack Identity (keystone):
Fix Committed
Status in OpenStack Identity (keystone) queens series:
Triaged
Status in OpenStack Identity (keystone) rocky series:
Triaged
Bug description:
NOTE: This bug impacts stable/rocky and possibly stable/queens
release. Master branch is not impacted.
The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain"
API no longer works in stable/rocky.
https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18
This resulted in domain admin unable to fetch his own domain. Looks
like we switched over to oslo_context around stable/queens timeframe.
And the token (TokenModel) is no longer in the auth_context which
caused this rule to fail.
'token.project.domain.id:%(target.domain.id)s'
The problem was corrected recently in the master branch by this patch
https://review.openstack.org/#/c/605539/
where to token is added back to the auth_context.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1810983/+subscriptions
References