Fernet token validation doesn't return catalog and role information for domain scoped tokens

Bug #1430433 reported by Haneef Ali on 2015-03-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad

Bug Description

root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 292 100 292 0 0 154 0 0:00:01 0:00:01 --:--:-- 154
    "token": {
        "audit_ids": [
        "expires_at": "2015-03-14T20:44:40Z",
        "extras": {},
        "issued_at": "2015-03-10T16:44:40Z",
        "methods": [
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            "id": "ad89796c89e7422bb8b9f1bbf9d84bf6",
            "name": "admin"

Boris Bobrov (bbobrov) on 2015-03-10
Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
Haneef Ali (haneef) on 2015-03-12
tags: added: fernet
Dolph Mathews (dolph) wrote :

Support for domain scoped tokens was added in https://github.com/openstack/keystone/commit/622b51e096dd87e117e1e9417196956131edfb1a

The above looks like an unscoped token; if you were expecting a domain-scoped token, the above patch should change the validation result.

Changed in keystone:
status: New → Incomplete
Boris Bobrov (bbobrov) on 2015-03-13
Changed in keystone:
assignee: Boris Bobrov (bbobrov) → nobody
Lance Bragstad (lbragstad) wrote :

This is what a response looks like for a domain-scoped UUID token [1].
This is the current response for a Fernet domain-scoped token [2].

This is because the v3_token_data_helper.get_token_data() method [3] wasn't being called with domain_id. I assume this was lost somewhere in the massive rebase chain as this was being implemented.

After applying [4], the Fernet domain-scoped responses look like the following [5]

[1] http://cdn.pasteraw.com/eqw4n3vh0bb0xnv6y195flz7zb0u33q
[2] http://cdn.pasteraw.com/7kmeev9y0cssyk7puri1v47nlclleuv
[3] https://github.com/openstack/keystone/blob/24bc6a1bf03e0ef71b16b2e973120aa9a8131778/keystone/token/providers/fernet/core.py#L137-L146
[4] http://cdn.pasteraw.com/7aklvpeuajaxsi7ztsowce2jhkrtoby
[5] http://cdn.pasteraw.com/s93vle6j6krnx4fp49xm919pji385yn

I'll push the diff for review shortly.

Changed in keystone:
status: Incomplete → Confirmed
importance: Undecided → High
assignee: nobody → Lance Bragstad (lbragstad)

Fix proposed to branch: master
Review: https://review.openstack.org/164315

Changed in keystone:
status: Confirmed → In Progress
Dolph Mathews (dolph) wrote :

This issue is being reproduced here:


(If that build shows as passing, then a fix has merged to keystone.)

Reviewed: https://review.openstack.org/164315
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d1773114eeb00ae090a58fdcaaaa449e886fa039
Submitter: Jenkins
Branch: master

commit d1773114eeb00ae090a58fdcaaaa449e886fa039
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 13 19:29:25 2015 +0000

    Build domain scope for Fernet tokens

    This commit makes sure we pass domain_id to get_token_data() for the
    V3TokenDataHelper object. Previously, we weren't passing domain_id which caused
    missing data in validation responses for domain-scoped tokens.

    Change-Id: Ie810ba5d778c2186f699aae5f87ea0ff783e0bf9
    Closes-Bug: 1430433

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
milestone: none → kilo-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers