← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1810983] Re: domain admin unable to fetch domain

 

On master, this is a duplicate bug [0], which has already been fixed
[1].

Keeping this as a separate bug for now since the fix to the stable
branches are going to be different. We can't backport the fix to master
because it requires updated versions of oslo.policy.

[0] https://bugs.launchpad.net/keystone/+bug/1794864
[1] https://review.openstack.org/#/c/605539/

** Also affects: keystone/rocky
   Importance: Undecided
       Status: New

** Also affects: keystone/queens
   Importance: Undecided
       Status: New

** Changed in: keystone/queens
       Status: New => Triaged

** Changed in: keystone/rocky
       Status: New => Triaged

** Changed in: keystone/queens
   Importance: Undecided => Medium

** Changed in: keystone/rocky
   Importance: Undecided => Medium

** Changed in: keystone
       Status: New => Fix Committed

** Changed in: keystone
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1810983

Title:
  domain admin unable to fetch domain

Status in OpenStack Identity (keystone):
  Fix Committed
Status in OpenStack Identity (keystone) queens series:
  Triaged
Status in OpenStack Identity (keystone) rocky series:
  Triaged

Bug description:
  NOTE: This bug impacts stable/rocky and possibly stable/queens
  release. Master branch is not impacted.

  The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain"
  API no longer works in stable/rocky.

  https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/base.py#L21
  https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/policies/domain.py#L18

  This resulted in domain admin unable to fetch his own domain. Looks
  like we switched over to oslo_context around stable/queens timeframe.
  And the token (TokenModel) is no longer in the auth_context which
  caused this rule to fail.

  'token.project.domain.id:%(target.domain.id)s'

  The problem was corrected recently in the master branch by this patch

  https://review.openstack.org/#/c/605539/

  where to token is added back to the auth_context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1810983/+subscriptions


References