OpenStack Identity (keystone)

Flask doesn't normalize domains sanely in some cases

Bug #1793027 reported by Morgan Fainberg
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Morgan Fainberg
OpenStack Identity (keystone) stein-1

Bug Description

Under webob, domain normalization (for creation of some resources) resulted in a few possible options:

  * Domain ID present in ref -> no change to ref

  * Domain ID not present, domain scoped token ->
    ref['domain_id'] = scope domain id

  * Domain ID not present, "admin" token -> raise ValidationError

  * Domain ID not present, project scoped token -> default domain
    [Deprecated functionality]

Under flask, only the first scenario worked. Keystone, Tempest, and Heat all only test for actual explicit domain id specified on creation (groups notably). Shade/SDK tests a broader form and caught this error[0][1] (reported by Monty Taylor)

[0] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/testr_results.html.gz
[1] http://logs.openstack.org/33/599533/1/gate/shade-functional-devstack-tips/0a92f9f/controller/logs/screen-keystone.txt.gz?level=ERROR

Morgan Fainberg (mdrnstm)
Changed in keystone:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Morgan Fainberg (mdrnstm)
milestone: none → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/603239

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Does this only affect master or do we need a backport to stable/rocky as well?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/603239
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c96c7fd03b7afab033bcb31465390f46e56089c5
Submitter: Zuul
Branch: master

commit c96c7fd03b7afab033bcb31465390f46e56089c5
Author: morgan fainberg <email address hidden>
Date: Mon Sep 17 14:59:08 2018 -0700

    Properly normalize domain ids in flask

    Previously domain_id normalization was done (in webob) resulting
    in possibly one of four results (ref['domain_id'] is changed):

      * Domain ID present in ref -> no change to ref

      * Domain ID not present, domain scoped token ->
        ref['domain_id'] = scope domain id

      * Domain ID not present, "admin" token -> raise ValidationError

      * Domain ID not present, project scoped token -> default domain
        [Deprecated functionality]

    In flask, only the first case worked. This change corrects the behavior
    and adds a test to ensure proper data is extracted from oslo.context.

    Change-Id: Iacb502a2aa3fe633f74c7e19e13c46f4f85e55db
    Closes-Bug: #1793027

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.