OpenStack Identity (keystone)

domain list via projects api with domain-scoped token is always empty

Bug #1950325 reported by Boris Bobrov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
In Progress
Undecided
Unassigned

Bug Description

Listing domains via projects api (/v3/projects) using is_domain parameter with domain-scoped token always returns an empty list.

Steps to reproduce:

1. Get a domain-scoped token
2. Make a call to /v3/projects?is_domain=true with the token

Expected:
Domains are listed (given the policies allow it). Or i get an error message that it is impossible to list is_domain projects with a domain-scoped token.

Observed:
Domain list is empty.

Probable reason:
https://opendev.org/openstack/keystone/src/commit/1e7ecca881a51144d61ae8026e1a77d6669997e2/keystone/api/projects.py#L135-L139 - with domain-scoped token projects are filtered by domain_id. Domains have no domain_id and are filtered out.

How it was discovered:
Terraform OpenStack Provider does not use /v3/domains endpoint to fetch information about domains. Instead, /v3/projects is supposed to be used. https://github.com/terraform-provider-openstack/terraform-provider-openstack/tree/32f312ff538b846c32b93247f94c58163a6145f1/openstack

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/844637

Changed in keystone:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.