OpenStack Identity (keystone)

setting user's default_project_id to a domain ID yield HTTP 400 instead of unscoped token

Bug #1582376 reported by Guang Yee on 2016-05-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Guang Yee	OpenStack Identity (keystone) newton-1 "n1"

Bug Description

Per spec, if user's default_project_id is invalid (i.e. either it is bogus, disabled, or user have no roles assigned on it), it should be ignored at token request. In otherwise, it should result in an unscoped token.

With the domain-is-project changes recently, if you accidentally set the user's default_project_id to a domain_id, you will get an HTTP 400 on token request.

Steps to reproduce:

1. set the user default_project_id to an existing domain_id
2. on token request, HTTP 400 is returned

$ curl -k -d '{"auth":{"identity": {"methods":["password"],"password":{"user": {"name": "foo","password": "bar","domain":{"id":"default"}}}}}}' -H "Content-type: application/json" http://10.0.2.15:5000/v3/auth/tokens |python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 258 100 101 100 157 229 357 --:--:-- --:--:-- --:--:-- 357
{
    "error": {
        "code": 400,
        "message": "obj
ect of type 'NoneType' has no len()",
        "title": "Bad Request"
    }
}

Ryosuke Mizuno (r-mizuno) on 2016-05-18

Changed in keystone:
assignee:	nobody → Ryosuke Mizuno (r-mizuno)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/317792

Changed in keystone:
assignee:	Ryosuke Mizuno (r-mizuno) → Guang Yee (guang-yee)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/317792
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8a7133f9506e0675ee5e5da9372d9be671eaaddf
Submitter: Jenkins
Branch: master

commit 8a7133f9506e0675ee5e5da9372d9be671eaaddf
Author: Guang Yee <email address hidden>
Date: Tue May 17 18:10:59 2016 -0700

make sure default_project_id is not domain on user creation and update

Make sure user cannot accidentially set the default_project_id to a domain_id.
Invalid default_project_id is still allowed for backward compatibility.

Change-Id: I7dd33fdc299fa465333ca1d18819ef0537752f16
Closes-Bug: 1582376

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-02: Fix included in openstack/keystone 10.0.0.0b1

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

Steve Martinelli (stevemar) on 2016-07-07

Changed in keystone:
importance:	Undecided → Medium
milestone:	none → newton-1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.