← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96609

[Bug 2127188] [NEW] domain user can create broken app creds when enforce scope is disabled

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Fresh-ish devstack,

authorize as domain user:

❯ openstack token issue -fyaml
domain_id: default
expires: 2025-10-09T13:51:15+0000
id: ...
user_id: 0bb0013247374b6cb8b2e4c369f3086f

try to create app creds
❯ openstack application credential create breakme
BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'

now all operations with appcreds are broken for this user
❯ openstack application credential list
BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'

deleting by name/via CLI also does not work as it does the same list somewhere to resolve name to id
❯ openstack application credential delete breakme
Failed to delete application credential with name or ID 'breakme': BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'
1 of 1 application credentials failed to delete.

if you peek into DB, you see an appcred w/o a project id was successfully stored in DB
MySQL root@127.0.0.1:(none)> select * from keystone.application_credential where project_id is NULL\G
***************************[ 1. row ]***************************
internal_id  | 3
id           | f5d6ab4298c4467e853e8510ba56ecf7
name         | breakme
secret_hash  | $2b$04$YhMkjUMmTheSxXeEsYcQA.tFYA45POfYiRrqaw0iv7V.F3ptLajM2
description  | <null>
user_id      | 0bb0013247374b6cb8b2e4c369f3086f
project_id   | <null>
expires_at   | <null>
system       | <null>
unrestricted | 0

only now, using this UUID and direct API call you can delete those and restore functionality for this user
❯ os-https DELETE keystone/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials/f5d6ab4298c4467e853e8510ba56ecf7
HTTP/1.1 204 NO CONTENT
Connection: close
Date: Thu, 09 Oct 2025 12:59:19 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: X-Auth-Token
x-openstack-request-id: req-bbc51e52-785a-440a-a5a7-025a24c629cf


❯ openstack application credential list --print-empty -fjson
[]

AFAIU what happens is that not enforcing scope allows a domain-scoped
request to sneak thru and create the broken appcred, and already when
response is formatted, its jsonschema validation fails on project id
being NULL/None. The same happens on any GET etc request, the response
validation fails.

We need to do a better check, have the project id field non-nullable so
you can't even store a broken appcred, and have some validation during
appcreds create to return 403 or 400 instead of 500.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2127188

Title:
  domain user can create broken app creds when enforce scope is disabled

Status in OpenStack Identity (keystone):
  New

Bug description:
  Fresh-ish devstack,

  authorize as domain user:

  ❯ openstack token issue -fyaml
  domain_id: default
  expires: 2025-10-09T13:51:15+0000
  id: ...
  user_id: 0bb0013247374b6cb8b2e4c369f3086f

  try to create app creds
  ❯ openstack application credential create breakme
  BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'

  now all operations with appcreds are broken for this user
  ❯ openstack application credential list
  BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'

  deleting by name/via CLI also does not work as it does the same list somewhere to resolve name to id
  ❯ openstack application credential delete breakme
  Failed to delete application credential with name or ID 'breakme': BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string'
  1 of 1 application credentials failed to delete.

  if you peek into DB, you see an appcred w/o a project id was successfully stored in DB
  MySQL root@127.0.0.1:(none)> select * from keystone.application_credential where project_id is NULL\G
  ***************************[ 1. row ]***************************
  internal_id  | 3
  id           | f5d6ab4298c4467e853e8510ba56ecf7
  name         | breakme
  secret_hash  | $2b$04$YhMkjUMmTheSxXeEsYcQA.tFYA45POfYiRrqaw0iv7V.F3ptLajM2
  description  | <null>
  user_id      | 0bb0013247374b6cb8b2e4c369f3086f
  project_id   | <null>
  expires_at   | <null>
  system       | <null>
  unrestricted | 0

  only now, using this UUID and direct API call you can delete those and restore functionality for this user
  ❯ os-https DELETE keystone/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials/f5d6ab4298c4467e853e8510ba56ecf7
  HTTP/1.1 204 NO CONTENT
  Connection: close
  Date: Thu, 09 Oct 2025 12:59:19 GMT
  Server: Apache/2.4.58 (Ubuntu)
  Vary: X-Auth-Token
  x-openstack-request-id: req-bbc51e52-785a-440a-a5a7-025a24c629cf

  
  ❯ openstack application credential list --print-empty -fjson
  []

  AFAIU what happens is that not enforcing scope allows a domain-scoped
  request to sneak thru and create the broken appcred, and already when
  response is formatted, its jsonschema validation fails on project id
  being NULL/None. The same happens on any GET etc request, the response
  validation fails.

  We need to do a better check, have the project id field non-nullable
  so you can't even store a broken appcred, and have some validation
  during appcreds create to return 403 or 400 instead of 500.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2127188/+subscriptions
  Thread PreviousDate PreviousThread Next