OpenStack Identity (keystone)

v3 credentials project is not optional for type=ec2

Bug #1268977 reported by Steven Hardy on 2014-01-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lin Hua Cheng	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

The project is documented as being optional when creating credentials via the v3/credentials API, but not providing a project when creating ec2 credentials, then validating a signed request signed with those credentials via ec2tokens fails:

2014-01-14 13:53:19.390 10908 ERROR keystone.common.wsgi [-] object of type 'NoneType' has no len()
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 213, in __call__
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi result = method(context, **params)
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/contrib/ec2/controllers.py", line 103, in authenticate
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])

So we should probably raise an error when creating the credential, since we can never create an appropriately scoped token in ec2tokens without knowing the user and project associated with the credentials.

Steven Hardy (shardy) on 2014-01-14

Changed in keystone:
assignee:	nobody → Steven Hardy (shardy)

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-01-22:

IIRC, this was the exact use case that landed project_id in the API spec for /v3/credentials at all -- is it not used at all?

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-06-20:

Could this possibly be fixed here?

https://review.openstack.org/#/c/98522/3/keystone/credential/schema.py

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-06-20:

I built the schema around the current Identity V3 API spec for Credentials, so if it needs to be updated to exclude the 'project_id' or if it needs to be required I can roll that into the jsonschema validation.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-06-23:

Lance: That schema looks correct according to the v3 API spec to me. The catch here is that 'project_id' is only required IF type='ec2'? (Can you express that in jsonschema?) If not, that sounds like hardcoded validation in the controller.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-06-28:

That makes sense, we *might* be able to work around it with anyOf or oneOf like logic. I'll have to dig into this a little more and see if we can build it into the schema:

http://jsonary.com/documentation/json-schema/?section=keywords/General%20keywords

Steven Hardy (shardy) on 2014-09-08

Changed in keystone:
assignee:	Steven Hardy (shardy) → nobody

Lin Hua Cheng (lin-hua-cheng) on 2015-02-11

Changed in keystone:
assignee:	nobody → Lin Hua Cheng (lin-hua-cheng)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-14: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/155974

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/155974
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9f257dc0597a393aac4b2165b5066b35165dbcf
Submitter: Jenkins
Branch: master

commit a9f257dc0597a393aac4b2165b5066b35165dbcf
Author: lin-hua-cheng <email address hidden>
Date: Sat Feb 14 01:19:36 2015 -0800

Made project_id required for ec2 credential

    ec2 tokens cannot be created without the user and project
    associated with the credentials. The project_id must be
    required when creating ec2 credentials.

    Updating json schema to check:
    - if ec2 type, project_id is required
    - else, project_id is optional

Closes-Bug: #1268977

Change-Id: Id7118e028d8c3ff607ac24cd9ecba90a905ce91f

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11: Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/190660

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-15: Fix merged to keystone-specs (master)

Reviewed: https://review.openstack.org/190660
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=b2e602146e26a65c9a95fa360b7be856c4b5d77b
Submitter: Jenkins
Branch: master

commit b2e602146e26a65c9a95fa360b7be856c4b5d77b
Author: Darren Hague <email address hidden>
Date: Thu Jun 11 15:22:23 2015 +0100

v3 credentials project_id is not optional for type=ec2

Updated documentation to reflect implementation in
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9f257dc0597a393aac4b2165b5066b35165dbcf

Change-Id: Ia262fc4ae25b1aa82d877173f4ea9f88b290e64c
Closes-bug: 1268977

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.