yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95946
[Bug 2111836] Re: Creating a token using an application credential results in a HTTP 500 when attempting to use said token
Reviewed: https://review.opendev.org/c/openstack/keystone/+/951392
Committed: https://opendev.org/openstack/keystone/commit/2323c474f857b64b5e6159dab03e64580817c65c
Submitter: "Zuul (22348)"
Branch: master
commit 2323c474f857b64b5e6159dab03e64580817c65c
Author: Artem Goncharov <artem.goncharov@xxxxxxxxx>
Date: Fri May 30 12:47:29 2025 +0200
Fix getting token from application credentials token
When user tries to get token from token that was initially issued using
application credentials it is necessary to restore the initial
application credential is to enforce it's scope, roles and access rules.
Closes-bug: #2111836
Change-Id: Ie94f7e18106b50087284bd8c81b50aa50ab104cb
Signed-off-by: Artem Goncharov <artem.goncharov@xxxxxxxxx>
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2111836
Title:
Creating a token using an application credential results in a HTTP 500
when attempting to use said token
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
Sample devstack reproducer:
```
export OS_CLOUD=devstack-admin
openstack server list # works
openstack application credential create foo
# use the returned id and secret fields to create a new cloud entry
export OS_CLOUD=devstack-admin-appcred
openstack server list # works
openstack token issue -f value -c id
# use the returned id field to create a new cloud entry
export OS_CLOUD=devstack-admin-token
openstack server list # error!
```
Samples `clouds.yaml` after the above steps:
```
clouds:
devstack-admin:
auth:
auth_url: http://10.0.110.96/identity
password: password
project_domain_id: default
project_name: admin
user_domain_id: default
username: admin
region_name: RegionOne
devstack-admin-appcred:
auth:
auth_url: http://10.0.110.96/identity
application_credential_id: af1d2e8c0838425f8459bb07ba3371a7
application_credential_secret: G9ATNVJsZW63kX34tHddudA13c0N77ktP5OSrPe-n-BEeHuF7AqQeXu6bSIaK593dC72bzQYjzG7M-ypNseZYA
auth_type: v3applicationcredential
region_name: RegionOne
devstack-admin-token:
auth:
auth_url: http://10.0.110.96/identity
token: gAAAAABoNejg1AvoyDKLwM6--SR4X8zEx2U_Q5w89QiOV45FiVGV3Hhf9Y4TDJoNYjiMmSOCUrFTKyHIY0hiNyyiSVXNer0nMa_ivlOpR6n2Rag7vZDdCLUjfri5fOmlGd3G0kOSic5qBf3ubhZPF2IDLQ65D4RbCzQS7yGmlrJBOEcpcLwyYhJTx_y74WO9N93duPAhGthZ
auth_type: v3token
region_name: RegionOne
```
The traceback:
```
CRITICAL keystone [None req-cdc8e19b-cb35-4b8b-8aea-4c34409871ed admin admin] Unhandled error: KeyError: 'application_credential'
ERROR keystone Traceback (most recent call last):
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1536, in __call__
ERROR keystone return self.wsgi_app(environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/werkzeug/middleware/proxy_fix.py", line 183, in __call__
ERROR keystone return self.app(environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__
ERROR keystone resp = self.call_func(req, *args, **kw)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func
ERROR keystone return self.func(req, *args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/base.py", line 124, in __call__
ERROR keystone response = req.get_response(self.application)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send
ERROR keystone status, headers, app_iter = self.call_application(
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application
ERROR keystone app_iter = application(self.environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 143, in __call__
ERROR keystone return resp(environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__
ERROR keystone resp = self.call_func(req, *args, **kw)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func
ERROR keystone return self.func(req, *args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/base.py", line 124, in __call__
ERROR keystone response = req.get_response(self.application)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send
ERROR keystone status, headers, app_iter = self.call_application(
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application
ERROR keystone app_iter = application(self.environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__
ERROR keystone resp = self.call_func(req, *args, **kw)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func
ERROR keystone return self.func(req, *args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/osprofiler/web.py", line 111, in __call__
ERROR keystone return request.get_response(self.application)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send
ERROR keystone status, headers, app_iter = self.call_application(
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application
ERROR keystone app_iter = application(self.environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func
ERROR keystone return self.func(req, *args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/request_id.py", line 58, in __call__
ERROR keystone response = req.get_response(self.application)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send
ERROR keystone status, headers, app_iter = self.call_application(
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application
ERROR keystone app_iter = application(self.environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/keystone/keystone/server/flask/request_processing/middleware/url_normalize.py", line 38, in __call__
ERROR keystone return self.app(environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__
ERROR keystone resp = self.call_func(req, *args, **kw)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func
ERROR keystone return self.func(req, *args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/keystonemiddleware/auth_token/__init__.py", line 340, in __call__
ERROR keystone response = req.get_response(self._app)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send
ERROR keystone status, headers, app_iter = self.call_application(
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application
ERROR keystone app_iter = application(self.environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/werkzeug/middleware/dispatcher.py", line 81, in __call__
ERROR keystone return app(environ, start_response)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1514, in wsgi_app
ERROR keystone response = self.handle_exception(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone [Previous line repeated 28 more times]
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 295, in error_router
ERROR keystone return self.handle_error(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 310, in handle_error
ERROR keystone _handle_flask_propagate_exceptions_config(current_app, e)
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1511, in wsgi_app
ERROR keystone response = self.full_dispatch_request()
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 919, in full_dispatch_request
ERROR keystone rv = self.handle_user_exception(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router
ERROR keystone return original_handler(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^
ERROR keystone [Previous line repeated 28 more times]
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 295, in error_router
ERROR keystone return self.handle_error(e)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 310, in handle_error
ERROR keystone _handle_flask_propagate_exceptions_config(current_app, e)
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 917, in full_dispatch_request
ERROR keystone rv = self.dispatch_request()
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 902, in dispatch_request
ERROR keystone return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 489, in wrapper
ERROR keystone resp = resource(*args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/views.py", line 110, in view
ERROR keystone return current_app.ensure_sync(self.dispatch_request)(**kwargs) # type: ignore[no-any-return]
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
ERROR keystone resp = meth(*args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/keystone/keystone/server/flask/common.py", line 1159, in wrapper
ERROR keystone return f(*args, **kwargs)
ERROR keystone ^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/keystone/keystone/api/auth.py", line 328, in post
ERROR keystone token = authentication.authenticate_for_token(auth_data)
ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone File "/opt/stack/keystone/keystone/api/_shared/authentication.py", line 229, in authenticate_for_token
ERROR keystone app_cred_id = token_auth['application_credential']['id']
ERROR keystone ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR keystone KeyError: 'application_credential'
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2111836/+subscriptions
References
