OpenStack Heat

_get_domain_id_from_name uses domain_admin_client; results in 403 from keystone

Bug #1415136 reported by Steve McLellan on 2015-01-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Steve McLellan	OpenStack Heat 2015.1.0 "kilo"

Bug Description

In heat_keystoneclient, the _get_domain_id_from_name function uses the configured domain_admin_client (which uses the stack_domain credentials) to retrieve the domain id matching the configured stack_user_domain_name. It does this by listing domains matching the name.

Typically this user only has admin access over its own domain. In a typical keystone v3 setup, listing domains requires cloud administrative privileges (admin on the default domain) - https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L32

Either the sample keystone setup is wrong (and a user should be able to list domains they have access to) or potentially heat needs to use the admin_client (and in turn, THAT user needs admin privileges on the default domain).

Kanagaraj Manickam (kanagaraj-manickam) on 2015-01-27

Changed in heat:
assignee:	nobody → Kanagaraj Manickam (kanagaraj-manickam)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-28: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151028

Changed in heat:
assignee:	Kanagaraj Manickam (kanagaraj-manickam) → Clint Byrum (clint-fewbar)
status:	New → In Progress

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2015-01-28:

This is pretty important for users who don't want to reconfigure keystone. Marking High.

Changed in heat:
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2015-01-29

Changed in heat:
assignee:	Clint Byrum (clint-fewbar) → Steve McLellan (sjmc7)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-13: Fix merged to heat (master)

Reviewed: https://review.openstack.org/151028
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=c11f085115435db55431d9f65a162add5818bf0d
Submitter: Jenkins
Branch: master

commit c11f085115435db55431d9f65a162add5818bf0d
Author: Clint Byrum <email address hidden>
Date: Wed Jan 28 14:53:05 2015 -0800

Use domain_id from auth token when not configured

    When the stack_user_domain_admin_user/password are used to authenticate,
    the domain_id they're included in is returned in the token. If the user
    has configured Heat using a stack_user_domain_name then the ID will be
    needed to create stack users. Previously we used the domain list
    functionality in keystoneclient, but this required admin level
    privileges in the default keystone policy file. There is no need to list
    though, as we already have the domain ID.

Change-Id: I0eaad62502ba55bb52bc95192318f3f12a95062b
Closes-Bug: #1415136

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in heat:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in heat:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.