domain_id 'default' is not decoded from bytes with federated scoped tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lance Bragstad |
Bug Description
When attempting to make calls to the Keystone API, requests using a scoped federated token fail with a message like the following:
{
"error": {
"code": 404,
}
}
To reproduce:
1. get an unscoped token via the federated auth endpoint, e.g. /v3/OS-
2. request an unscoped token against the default domain, e.g.:
$ http post https:/
{
"auth": {
],
}
},
}
}
}
}
EOF
3. Attempt to get your own user data, e.g.
$ http get https:/
HTTP/1.1 404 Not Found
Connection: keep-alive
Content-Length: 95
Content-Type: application/json
Date: Wed, 23 Jan 2019 20:46:12 GMT
Server: nginx/1.13.12
Strict-
Vary: X-Auth-Token
x-openstack
{
"error": {
"code": 404,
}
}
The expected result looks like this (with a patch applied to decode the domain_id to a str):
$ http get https:/
HTTP/1.1 200 OK
Connection: keep-alive
Content-
Content-Type: application/json
Date: Wed, 23 Jan 2019 21:45:11 GMT
Server: nginx/1.13.12
Strict-
Transfer-
Vary: Accept-Encoding
Vary: X-Auth-Token
x-openstack
{
"user": {
"id": "7b3bbc3252c44f
},
"name": "<email address hidden>",
}
}
After digging through the code, I think the root cause may be that in FederatedScoped
This was all tested against keystone 14.0.2.dev7 (latest rocky release) running python 3.6.7 with uwsgi 2.0.17.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
Changed in keystone: | |
milestone: | none → stein-3 |
I can confirm this on python 3.6. It isn't an issue on python2 due string types.
Since domain IDs are all auto-generated uuids with the exception of the default domain (since it can be set to a non-uuid string via configuration), I would expect that to be the only domain target that breaks with this.