OpenStack Identity (keystone)

Wrong return code for inherited project role checking

Bug #1397318 reported by Rodrigo Duarte on 2014-11-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Low	Unassigned

Bug Description

The documentation states that the return code to check inherited roles do projects is 200 OK [1], which isn't true (see comments below). All grant checks are done via the same method.

https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-inherit-ext.rst#check-if-user-has-an-inherited-project-role-on-project

See original description

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-28: Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/137782

Changed in keystone:
assignee:	nobody → Rodrigo Duarte (rodrigodsousa)
status:	New → In Progress

Brant Knudson (blk-u) on 2014-12-05

summary:

- Wront return code for inherited role checking
+ Wrong return code for inherited role checking

Revision history for this message

Samuel de Medeiros Queiroz (samueldmq) wrote on 2014-12-14: Re: Wrong return code for inherited role checking

I'm not against this particular change, but I'll probably be addressing every similar doc incompatibility when submitting patches to [1].

[1] https://bugs.launchpad.net/keystone/+bug/1402339

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2014-12-14:

This is *not* an exhaustive search for inconsistent return code. This bug was intent to fix a *known* issue. Second, the pointed bug was created *after* this bug.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-15: Change abandoned on keystone-specs (master)

Change abandoned by Rodrigo Duarte (<email address hidden>) on branch: master
Review: https://review.openstack.org/137782
Reason: abandoning due out of place discussions.

Rodrigo Duarte (rodrigodsousa) on 2014-12-16

summary:

- Wrong return code for inherited role checking
+ Wrong return code for inherited domain role checking

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-16: Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/142065

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-01-15: Re: Wrong return code for inherited domain role checking

I get 204 on my system:

$ curl -i -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
Date: Thu, 15 Jan 2015 00:04:03 GMT

$ curl -i -I -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
Date: Thu, 15 Jan 2015 00:04:20 GMT

$ curl -i -X HEAD -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
Date: Thu, 15 Jan 2015 00:05:04 GMT

Why are you getting Content-Length: 334 ? I don't think there can be any content.

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-01-15:

Looks like I was checking the wrong URL (missed the $ROLE_ID). Seems that we have an inconsistency here, according to http://tools.ietf.org/html/rfc2616#section-10.2.1 the return must be 200 OK.

Can you easily check for inherited roles to projects in a project hierarchy (don't have a full setup in the moment).

What do you think?

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-01-15:

I don't think there's an inconsistency with keystone's implementation and the RFC. If there's no body then the server should return 204 No Content.

The code is here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/controllers.py#n565

All the calls go through the same code so I'd expect them all to respond the same way.

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-01-15:

As per http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html : "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request." and http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html and https://developer.mozilla.org/en-US/docs/Web/HTTP/Response_codes (see 200 OK session), the return code should be same as for the GET method, but without a body, which I think it means the return should be a 200, not 204.

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-01-15:

#10

Rodrigo - The return for a GET request is already the same as the HEAD request. It's 204 No Content. This is what I posted in comment 6:

$ curl -i -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

$ curl -i -I -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

$ curl -i -X HEAD -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-01-15:

#11

Thanks for the clarification Brant =)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-15: Change abandoned on keystone-specs (master)

#12

Change abandoned by Rodrigo Duarte (<email address hidden>) on branch: master
Review: https://review.openstack.org/142065
Reason: Not a bug, HEAD and GET returns the same status code:

$ curl -i -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

$ curl -i -I -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

$ curl -i -X HEAD -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/OS-INHERIT/domains/default/users/$USER_ID/roles/$ROLE_ID/inherited_to_projects
HTTP/1.1 204 No Content

Rodrigo Duarte (rodrigodsousa) on 2015-01-15

summary:	- Wrong return code for inherited domain role checking + Wrong return code for inherited project role checking
description:	updated
description:	updated

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-19:

#13

Is this still valid to have as an open bug?

Lin Hua Cheng (lin-hua-cheng) on 2015-04-14

Changed in keystone:
importance:	Undecided → Low

Rodrigo Duarte (rodrigodsousa) on 2015-06-26

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → nobody

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-21:

#14

Lance, seems like it's not valid, marking as invalid

Changed in keystone:
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.