OpenStack Identity (keystone)

Update credential to "ec2" type accepts a credential without the project set

Bug #1613466 reported by Rodrigo Duarte on 2016-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Rodrigo Duarte	OpenStack Identity (keystone) newton-3 "n3"

Bug Description

In the credentials API schema validation [1] is mandatory to include a project when creating a credential of the "ec2" type, but we can create a credential from a different type and update it to "ec2" without providing a project [2].

[1] https://github.com/openstack/keystone/blob/master/keystone/credential/schema.py#L29-L55
[2] https://github.com/openstack/keystone/blob/master/keystone/credential/schema.py#L57-L62

See original description

Rodrigo Duarte (rodrigodsousa) on 2016-08-15

description:

updated

Dolph Mathews (dolph) on 2016-08-19

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/357950

Changed in keystone:
assignee:	nobody → Rodrigo Duarte (rodrigodsousa)
status:	Triaged → In Progress

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2016-08-19:

If we update the credential to the ec2 type without the project_id, the API will fail in a further step of the API path (when trying to use the credential). Think we need to make the credential type immutable, but we would need a deprecation cycle as pointed out by Dolph in IRC.

For now, I think we can return a 404 error if the user tries to update the type to ec2 without providing a project_id since the API will break in a further step anyways.

Steve Martinelli (stevemar) on 2016-08-19

Changed in keystone:
milestone:	none → newton-3

Steve Martinelli (stevemar) on 2016-08-22

Changed in keystone:
milestone:	newton-3 → none

OpenStack Infra (hudson-openstack) on 2016-08-23

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Dave Chen (wei-d-chen)

Dave Chen (wei-d-chen) on 2016-08-23

Changed in keystone:
assignee:	Dave Chen (wei-d-chen) → Rodrigo Duarte (rodrigodsousa)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/357950
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8144e28336e1c9bf2128409172f48b3ea1cd1ee5
Submitter: Jenkins
Branch: master

commit 8144e28336e1c9bf2128409172f48b3ea1cd1ee5
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Aug 19 11:54:57 2016 -0300

Fix credential update to ec2 type

It was possible to create a credential without providing a project_id
and later updating it to the ec2 type.

    This patch fixes the issue by adding a manual checking in the
    manager layer since it needs to check the old credential contents
    prior failing the request.

Change-Id: I1eb28a46c89e17d9c990cc798867d1a59714fe5f
Closes-Bug: #1613466

Changed in keystone:
status:	In Progress → Fix Released

Steve Martinelli (stevemar) on 2016-08-24

Changed in keystone:
milestone:	none → newton-3

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-09-02: Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.