OpenStack Identity (keystone)

Keystone API v3 lists disabled endpoints and services in catalog

Bug #1273867 reported by Adam Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dolph Mathews
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

When endpoint or service has "enabled" attribute set to "False", it is still listed in catalog (`keystone catalog` command and/or in catalog part of token.

Create testing service (simplifies output later):
> localhost:5000
> POST /v3/services
> '{"service":{"name":"My svc","type":"testing"}}'
response:
> {'service': {'id': '<SERVICE-ID>',
> 'links': {'self': 'http://localhost:5000/v3/services/<SERVICE-ID>'},
> 'name': 'My svc',
> 'type': 'testing'}}

Create disabled endpoint:
> localhost:5000
> POST /v3/endpoints
> '{"endpoint":{
> "enabled":false,
> "name":"My disabled",
> "interface":"public",
> "url":"disabled_URL",
> "service_id":"<SERVICE-ID>"}}'
response:
> {'endpoint': {'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'links': {'self': 'http://localhost:5000/v3/endpoints/<ENDPOINT-ID>'},
> 'name': 'My disabled',
> 'region': None,
> 'service_id': '<SERVICE-ID>',
> 'url': 'disabled_URL'}}

Now request token and see that it's catalog/endpoints part contains:
> localhost:5000
> POST /v3/auth/tokens
> '{"auth":{
> "identity":
> {"methods":["password"],
> "password":{
> "user":{"name":"admin","domain":{"id":"default"},"password":"pass"}}},
> "scope":{"project":{"name":"admin","domain":{"id":"default"}}}}}
snippet of response:
> {'token': {'catalog': [
> ...
> {'endpoints': [{'enabled': False,
> 'id': '<ENDPOINT-ID>',
> 'interface': 'public',
> 'legacy_endpoint_id': None,
> 'name': 'My disabled',
> 'region': None,
> 'url': 'disabled_URL'}],
> 'id': '<SERVICE-ID>',
> 'type': 'testing'},
> ...

Also it gets listed in response of `keystone catalog` (API v2):
> # keystone catalog --service testing
> Service: testing
> +-----------+----------------------------------+
> | Property | Value |
> +-----------+----------------------------------+
> | id | <ENDPOINT-ID> |
> | publicURL | disabled_URL |
> | region | |
> +-----------+----------------------------------+

The same example applies to Service with enabled=false.

See https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#endpoints-v3endpoints for description of enabled attribute for Endpoint.

And https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#services-v3services for description of Service.

Revision history for this message
Wei Wang (damon-devops) wrote :

well, I don't think just make it simply invisible in catalog is a good idea.

Revision history for this message
Dolph Mathews (dolph) wrote :

Wei: the only use case for having an enabled/disabled state on services & endpoints was for suppressing them from the catalog.

This likely shares a root cause with bug 1282266.

Changed in keystone:
milestone: none → icehouse-3
importance: Undecided → High
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/75727

Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
status: Confirmed → In Progress
Brant Knudson (blk-u)
Changed in keystone:
assignee: Brant Knudson (blk-u) → nobody
status: In Progress → Triaged
Dolph Mathews (dolph)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/77375

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/77438

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/77441

Changed in keystone:
status: Triaged → In Progress
Dolph Mathews (dolph)
Changed in keystone:
milestone: icehouse-3 → icehouse-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/77438
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6b82b357f41dbc5e54663e6fa3fe8dff3f472217
Submitter: Jenkins
Branch: master

commit 6b82b357f41dbc5e54663e6fa3fe8dff3f472217
Author: Brant Knudson <email address hidden>
Date: Sun Mar 2 09:43:53 2014 -0600

    Properly configure OS-EP-FILTER test backend

    The OS-EP-FILTER tests were incorrectly setting the config files
    so that the
    endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
    backend wasn't used during testing.

    The current coverage report shows that
    keystone/contrib/endpoint_filter/backends/catalog_sql is not tested.
    With this change, the coverage is 96%.

    Change-Id: Ib87f1cdaa9f0b494ccd80fd5c37d868f3c46e9f2
    Related-Bug: #1273867

Dolph Mathews (dolph)
Changed in keystone:
milestone: icehouse-rc1 → icehouse-3
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-3 → icehouse-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/77375
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=46070a656291006ac8a89581cabaae38c2a40df5
Submitter: Jenkins
Branch: master

commit 46070a656291006ac8a89581cabaae38c2a40df5
Author: Brant Knudson <email address hidden>
Date: Sat Mar 1 14:54:51 2014 -0600

    Add unit tests for disabled endpoints in catalog

    There were no tests that show how disabled endpoints are dealt
    with in the catalog backend or when getting or validating a
    token.

    Change-Id: I42ba07e2e7a9c95469b3f2a741a809756cda9361
    Related-Bug: #1273867

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/77441
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=115bfec1cabe43271dcee269287785cc7b4cb6d5
Submitter: Jenkins
Branch: master

commit 115bfec1cabe43271dcee269287785cc7b4cb6d5
Author: Brant Knudson <email address hidden>
Date: Sun Mar 2 11:35:35 2014 -0600

    Fix include only enabled endpoints in catalog

    The server was returning disabled endpoints in the catalog for a
    token response. The server should not return disabled endpoints
    in the catalog.

    Change-Id: Ibaa54eb827846a613fe8c9eced6ae79a8abbfff2
    Partial-Bug: #1273867

Revision history for this message
Brant Knudson (blk-u) wrote :

We've got a fix for endpoints, but what's not covered is services. The changes for services are similar to the changes for endpoints.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/82205

Changed in keystone:
assignee: Brant Knudson (blk-u) → Dolph Mathews (dolph)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Dolph Mathews (dolph) → David Stanek (dstanek)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: David Stanek (dstanek) → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/82205
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=45cb6ea93f72ba4086f54642619f55d30378193c
Submitter: Jenkins
Branch: master

commit 45cb6ea93f72ba4086f54642619f55d30378193c
Author: Dolph Mathews <email address hidden>
Date: Fri Mar 21 16:00:04 2014 -0500

    Always include 'enabled' field in service response

    NOTE: this is basically a mirror of the following patch, but for
    services instead of endpoints:

        https://review.openstack.org/#/c/75727/

    The 'enabled' field wasn't always returned in a service response.

    The 'enabled' attribute for services was stored in the 'extra'
    column as part of a JSON string. Now the 'enabled' attribute is in
    its own column. It will also be easier to filter out disabled
    services now that enabled is a separate column.

    With the 'enabled' field being a Boolean column in the database,
    the server also needs to validate that the value is a Boolean (if
    it's present). This is done in the same way that the server checks
    the type of the 'enabled' value when creating users.

    Change-Id: I73f0bb58cd31d80b3c1b6c6834e9e8b38adc86a0
    Co-Authored-By: Brant Knudson <email address hidden>
    Partial-Bug: 1273867

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/82686

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/82698

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/82686
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f8bf760abdf44ef8e90fc37d184d20f7a46b2ab5
Submitter: Jenkins
Branch: master

commit f8bf760abdf44ef8e90fc37d184d20f7a46b2ab5
Author: Dolph Mathews <email address hidden>
Date: Mon Mar 24 20:40:51 2014 -0500

    refactor AuthCatalog tests

    this patch makes room for testing disabled services as well

    Change-Id: Id8fe52f5369e6a97690eb1e27f16f8b85ad552e4
    Partial-Bug: 1273867

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/82698
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d352bb41f30a6e26ee5f687f751070164908000d
Submitter: Jenkins
Branch: master

commit d352bb41f30a6e26ee5f687f751070164908000d
Author: Dolph Mathews <email address hidden>
Date: Mon Mar 24 21:05:58 2014 -0500

    exclude disabled services from the catalog

    Change-Id: I25c8b33723b92a9e5768583d82a8cc26ee873890
    Closes-Bug: 1273867

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.