← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1843609] [NEW] Domain-specific domain ID resolution breaks with system-scoped tokens

 

Public bug reported:

System-scope was introduced in Queens [0] but recently we discovered a
weird case where system users aren't able to do things they should be
able to with system-scoped tokens when domain-specific drivers are
enabled.

For example, they are unable to list groups or users because the API
logic for GET /v3/groups and GET /v3/users tries to resolve a domain ID
from the request [1]. If domain-specific drivers are enabled and there
isn't a domain ID associated to the request (either with a domain-scoped
token or a project-scoped token) the API returns a 401, which makes no
sense from the context of a system user [2].

You can recreate this locally by enabling domain-specific drivers in
keystone.conf [3] and running the test_groups or test_users v3
protection tests using:

  $ tox -e py37 -- keystone.tests.unit.protection.v3.test_groups

Observed failures:
https://pasted.tech/pastes/b45c6b015b97c865018c4b3290f60e0456fe304a.raw

This isn't blocking the gate because domain-specific drivers are off by
default and the logic short-circuits [4].

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[1] https://opendev.org/openstack/keystone/src/branch/master/keystone/api/groups.py#L84
[2] https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L917-L943
[3] https://pasted.tech/pastes/e8ffce7a3377b960dd88de8c88e2ccfd173ec726.raw
[4] https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L924-L926

** Affects: keystone
     Importance: High
         Status: Triaged

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1843609

Title:
  Domain-specific domain ID resolution breaks with system-scoped tokens

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  System-scope was introduced in Queens [0] but recently we discovered a
  weird case where system users aren't able to do things they should be
  able to with system-scoped tokens when domain-specific drivers are
  enabled.

  For example, they are unable to list groups or users because the API
  logic for GET /v3/groups and GET /v3/users tries to resolve a domain
  ID from the request [1]. If domain-specific drivers are enabled and
  there isn't a domain ID associated to the request (either with a
  domain-scoped token or a project-scoped token) the API returns a 401,
  which makes no sense from the context of a system user [2].

  You can recreate this locally by enabling domain-specific drivers in
  keystone.conf [3] and running the test_groups or test_users v3
  protection tests using:

    $ tox -e py37 -- keystone.tests.unit.protection.v3.test_groups

  Observed failures:
  https://pasted.tech/pastes/b45c6b015b97c865018c4b3290f60e0456fe304a.raw

  This isn't blocking the gate because domain-specific drivers are off
  by default and the logic short-circuits [4].

  [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
  [1] https://opendev.org/openstack/keystone/src/branch/master/keystone/api/groups.py#L84
  [2] https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L917-L943
  [3] https://pasted.tech/pastes/e8ffce7a3377b960dd88de8c88e2ccfd173ec726.raw
  [4] https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L924-L926

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1843609/+subscriptions


Follow ups