OpenStack Identity (keystone)

user creation without domain using admin_token should fail nicer

Bug #1434000 reported by Boris Bobrov on 2015-03-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Deepti Ramakrishna

Bug Description

Snippet http://paste.openstack.org/show/193500/ results in

keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401)

There should be another error message: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L698

Tags:

Lance Bragstad (lbragstad) on 2015-03-20

tags:	added: user-experience
Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Low
milestone:	none → kilo-rc1

Morgan Fainberg (mdrnstm) on 2015-03-25

Changed in keystone:
milestone:	kilo-rc1 → none

Deepti Ramakrishna (dramakri) on 2015-04-14

Changed in keystone:
assignee:	nobody → Deepti Ramakrishna (dramakri)

OpenStack Infra (hudson-openstack) on 2015-06-30

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Deepti Ramakrishna (dramakri) wrote on 2015-07-09:

Review link - https://review.openstack.org/#/c/196942/

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-08-05:

Why should this fail rather than use the default domain?

Revision history for this message

Deepti Ramakrishna (dramakri) wrote on 2015-08-07:

Brant, in case of v3 create entity call that does not specify a domain ID, the spec says that we should use the domain scoping from the token being used. But it does not say what we should do if the token itself is not associated with a domain. Also, if we use default domain for admin tokens, then when the TODO by henry-nash (https://github.com/openstack/keystone/blob/9cdbe6039b55ee401a31a18f734f88b17629b760/keystone/common/controller.py#L719-L724) is fixed, the behavior of admin token will become inconsistent with other non-domain scoped tokens.

If you feel strongly that we should use the default domain, I can make that change. Your call.

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-10-16:

ok, makes sense.

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2015-11-05:

The change related to this means that you cannot do admin token operations with the v2 API.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/196942
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9a41fbf1da00ec66774efd9766749e7bd19e7030
Submitter: Jenkins
Branch: master

commit 9a41fbf1da00ec66774efd9766749e7bd19e7030
Author: Deepti Ramakrishna <email address hidden>
Date: Thu Nov 19 16:03:40 2015 -0800

Reject user creation using admin token without domain

Admin token is not associated with any domain and hence user creation
using admin token without explicitly specifying the domain should fail.

Change-Id: I82b9acccaa8d5f00d326604ce2992fc423db0b62
Closes-Bug: #1434000

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-01-21: Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.