OpenStack Identity (keystone)

Fernet token validation doesn't return catalog and role information for domain scoped tokens

Bug #1430433 reported by Haneef Ali on 2015-03-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 292 100 292 0 0 154 0 0:00:01 0:00:01 --:--:-- 154
{
    "token": {
        "audit_ids": [
            "c5zfY85bTrm_q8pAy2hk-A"
        ],
        "expires_at": "2015-03-14T20:44:40Z",
        "extras": {},
        "issued_at": "2015-03-10T16:44:40Z",
        "methods": [
            "password",
            "token"
        ],
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "ad89796c89e7422bb8b9f1bbf9d84bf6",
            "name": "admin"
        }
    }
}
root@4d4627c10662:/etc/keystone#

Tags:

Boris Bobrov (bbobrov) on 2015-03-10

Changed in keystone:
assignee:	nobody → Boris Bobrov (bbobrov)

Haneef Ali (haneef) on 2015-03-12

tags:

added: fernet

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-13:

Support for domain scoped tokens was added in https://github.com/openstack/keystone/commit/622b51e096dd87e117e1e9417196956131edfb1a

The above looks like an unscoped token; if you were expecting a domain-scoped token, the above patch should change the validation result.

Changed in keystone:
status:	New → Incomplete

Boris Bobrov (bbobrov) on 2015-03-13

Changed in keystone:
assignee:	Boris Bobrov (bbobrov) → nobody

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-13:

This is what a response looks like for a domain-scoped UUID token [1].
This is the current response for a Fernet domain-scoped token [2].

This is because the v3_token_data_helper.get_token_data() method [3] wasn't being called with domain_id. I assume this was lost somewhere in the massive rebase chain as this was being implemented.

After applying [4], the Fernet domain-scoped responses look like the following [5]

[1] http://cdn.pasteraw.com/eqw4n3vh0bb0xnv6y195flz7zb0u33q
[2] http://cdn.pasteraw.com/7kmeev9y0cssyk7puri1v47nlclleuv
[3] https://github.com/openstack/keystone/blob/24bc6a1bf03e0ef71b16b2e973120aa9a8131778/keystone/token/providers/fernet/core.py#L137-L146
[4] http://cdn.pasteraw.com/7aklvpeuajaxsi7ztsowce2jhkrtoby
[5] http://cdn.pasteraw.com/s93vle6j6krnx4fp49xm919pji385yn

I'll push the diff for review shortly.

Changed in keystone:
status:	Incomplete → Confirmed
importance:	Undecided → High
assignee:	nobody → Lance Bragstad (lbragstad)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164315

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-13:

This issue is being reproduced here:

https://travis-ci.org/dolph/keystone-deploy/builds/53202078

(If that build shows as passing, then a fix has merged to keystone.)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/164315
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d1773114eeb00ae090a58fdcaaaa449e886fa039
Submitter: Jenkins
Branch: master

commit d1773114eeb00ae090a58fdcaaaa449e886fa039
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 13 19:29:25 2015 +0000

Build domain scope for Fernet tokens

    This commit makes sure we pass domain_id to get_token_data() for the
    V3TokenDataHelper object. Previously, we weren't passing domain_id which caused
    missing data in validation responses for domain-scoped tokens.

Change-Id: Ie810ba5d778c2186f699aae5f87ea0ff783e0bf9
Closes-Bug: 1430433

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.