Middeware auth_token fails with scoped federated saml token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Fix Released
|
Medium
|
Steve Martinelli |
Bug Description
Do the following steps
1) Set up keystone for federation.
2) Generated a unscoped federated token
3) Generate a scoped token using token in step 2
4) Set up nova/glance for using keystone v3 API.
5) Try an image list command using following request
Request
GET http://
Headers:
Content-Type: application/json
Accept: application/json
X-Auth-Token: e92a49262a8d403
6) This will break the auth_token(
user = token['user']
in the function _build_
This is because the token does not contain any domain id or name under the user info, since federated tokens have no information about the user
This can be fixed, simply by putting an if condition around the problematic code. I have tested this fix and then able to get image list and server list using glance and nova rest apis.
Example
vim "/usr/lib/
893 if 'domain' in user:
894 user_domain_id = user['domain'
895 user_domain_name = user['domain'
Following is the token information, not that there is no domain under users
{
"token": {
"methods": [
"saml2"
],
"roles": [
{
"id": "aad3b40ebb3b44
"name": "admin"
}
],
"expires_at": "2014-07-
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "6e99b7d923bc43
"name": "admin"
},
"catalog": [
{
{
"url": "https:/
"id": "f5dad391109542
},
{
"url": "https:/
"id": "4f76970e4ab549
},
{
"url": "https:/
"id": "b85e76ca32f640
},
{
"url": "https:/
"id": "1ae909491d754a
},
{
"url": "https:/
"id": "daf4ce3876d042
},
{
"url": "https:/
"id": "f763c80100954b
}
],
"type": "identity",
"id": "0f79e21861a94f
},
{
{
"url": "http://
"id": "16ffa8cebadd4d
},
{
"url": "http://
"id": "944adaa070f44f
},
{
"url": "http://
"id": "cd945f6a5ee841
}
],
"type": "image",
"id": "fe5d67da897b43
},
{
{
"url": "http://
"id": "6d93d29279a648
},
{
"url": "http://
"id": "9416222ad31a41
},
{
"url": "http://
"id": "4d924ad3cb1a44
}
],
"type": "volume",
"id": "55ef917e57a540
},
{
{
"url": "http://
"id": "5fe8a0a8f6624e
},
{
"url": "http://
"id": "0b9f9b8ce30446
},
{
"url": "http://
"id": "bcb231d9baab43
}
],
"type": "network",
"id": "b8aaed7927834f
},
{
{
"url": "http://
"id": "55489ebf679348
},
{
"url": "http://
"id": "a9da7a6cf58e45
},
{
"url": "http://
"id": "249a8f15a5034c
}
],
"type": "compute",
"id": "ef0ff2f7395f45
},
{
{
"url": "http://
"id": "95c930d0d59342
},
{
"url": "http://
"id": "2ca7e051514345
},
{
"url": "http://
"id": "5b86fbfe14914b
}
],
"type": "metering",
"id": "a028437e8c364b
}
],
"extras": {},
"user": {
"id": "admin",
"name": "admin"
},
"issued_at": "2014-07-
}
}
description: | updated |
no longer affects: | keystone |
Changed in keystonemiddleware: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
Changed in keystonemiddleware: | |
importance: | Wishlist → Medium |
Changed in python-keystoneclient: | |
assignee: | nobody → Steve Martinelli (stevemar) |
status: | New → In Progress |
Changed in keystonemiddleware: | |
status: | Triaged → Invalid |
Changed in python-keystoneclient: | |
assignee: | Steve Martinelli (stevemar) → Marek Denis (marek-denis) |
Changed in python-keystoneclient: | |
assignee: | Marek Denis (marek-denis) → Steve Martinelli (stevemar) |
Changed in python-keystoneclient: | |
milestone: | none → 0.11.0 |
no longer affects: | keystonemiddleware |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
If anything this is a bug against the keystonemiddleware package not keystone.