OpenStack Identity (keystone)

Example in section "Create system-scoped token" is wrong

Bug #1797939 reported by Magnus Lööf
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Magnus Lööf
OpenStack Identity (keystone) stein-1

Bug Description

This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes:

- [x] This doc is inaccurate in this way: The example for Create system-scoped token says to use `--os-system` argument to the `openstack` cli tool. This does not work in:

```
$ openstack --version
openstack 3.16.1
```

```
$ openstack --help | grep system
                 [--os-system-scope <auth-system-scope>]
  --os-system-scope <auth-system-scope>
                        With password: Scope for system operations With
                        v3oidcauthcode: Scope for system operations With
                        v3oidcpassword: Scope for system operations With
                        v3password: Scope for system operations With
                        v3oidcaccesstoken: Scope for system operations With
                        token: Scope for system operations With
                        v3oidcclientcredentials: Scope for system operations
                        With v3token: Scope for system operations With v3totp:
                        Scope for system operations With
                        v3applicationcredential: Scope for system operations
...
```

Also, I cannot figure out how to actually do what the example suggest: issue a token scoped to the system, which is what I want to remove this deprecation warning in the logs:

```
/usr/lib/python2.7/site-packages/oslo_policy/policy.py:896: UserWarning: Policy identity:list_domains failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
  warnings.warn(msg)
```

- [ ] This is a doc addition request.
- [ ] I have a fix to the document that I can paste below including example: input and output.

If you have a troubleshooting or support issue, use the following resources:

 - Ask OpenStack: http://ask.openstack.org
 - The mailing list: http://lists.openstack.org
 - IRC: 'openstack' channel on Freenode

-----------------------------------
Release: on 2018-10-09 13:15
SHA: 86cc778774bc6a561911be05075b4e3cdf6ef2b0
Source: https://git.openstack.org/cgit/openstack/keystone/tree/doc/source/admin/identity-tokens.rst
URL: https://docs.openstack.org/keystone/rocky/admin/identity-tokens.html

Lance Bragstad (lbragstad)
tags: added: documentation
removed: doc
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Hi Magnus,

I was able to get a system-scoped token using the following process with a clouds.yaml and command line arguments [0]. Does this fix your issue or are there specific docs that need to be updated?

[0] http://paste.openstack.org/raw/732296/

Changed in keystone:
status: New → Incomplete
tags: added: system-scope
Revision history for this message
Magnus Lööf (magnus-loof) wrote :

Hi Lance!

Well, the documentation specified in https://git.openstack.org/cgit/openstack/keystone/tree/doc/source/admin/token-support-matrix.ini

suggests to use `--os-system`, but in reality should be `--os-system-scope all`.

So this should be fixed?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/611685

Changed in keystone:
assignee: nobody → Magnus Lööf (magnus-loof)
status: Incomplete → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Oh, yes. Good catch, Magnus!

Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/611685
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=33295032d95d0e85d68ea28a348d12b4e980a723
Submitter: Zuul
Branch: master

commit 33295032d95d0e85d68ea28a348d12b4e980a723
Author: Magnus Lööf <email address hidden>
Date: Thu Oct 18 19:51:57 2018 +0200

    Fix example for getting system scoped token

    Previously, the example for getting a system scoped token read
    `--os-system` which does not work.

    Change-Id: Ic7d6e089f0c28e026192e83b56b487180bca09e3
    Closes-Bug: 1797939
    Signed-off-by: Magnus Lööf <email address hidden>

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/612003

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/612003
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=adcd05cf56de22f405967316390ec66e59522cba
Submitter: Zuul
Branch: stable/rocky

commit adcd05cf56de22f405967316390ec66e59522cba
Author: Magnus Lööf <email address hidden>
Date: Thu Oct 18 19:51:57 2018 +0200

    Fix example for getting system scoped token

    Previously, the example for getting a system scoped token read
    `--os-system` which does not work.

    Change-Id: Ic7d6e089f0c28e026192e83b56b487180bca09e3
    Closes-Bug: 1797939
    Signed-off-by: Magnus Lööf <email address hidden>
    (cherry picked from commit 33295032d95d0e85d68ea28a348d12b4e980a723)

tags: added: in-stable-rocky
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-1
Lance Bragstad (lbragstad)
tags: removed: system-scope
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.1.0

This issue was fixed in the openstack/keystone 14.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.