When authenticating against v3, if the domain is excluded a 401 Unauthenticated is returned
Bug #1470670 reported by
Ian Cordasco
This bug report is a duplicate of:
Bug #1482330: Creating a user/group/project without a domain should be deprecated (or even raise an exception).
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Example code:
http://
Steps to reproduce:
0. Set-up Keystone from master
1. Create a keystoneclient.
1. i. test that the token is valid by listing something (e.g., users.list())
2. Call keystone.
3. Keystone returns a 401 Unauthenticated.
This is clearly incorrect. A 422 might be closer to the truth if it were used a Validation Failed status code (as GitHub and others use it).
The client is authenticated and authentication will not fail. There is something missing from the request though.
Changed in keystone: | |
assignee: | nobody → jiaxi (tjxiter) |
summary: |
- When creating a user with v3, if the domain is excluded a 401 + When authenticating against v3, if the domain is excluded a 401 Unauthenticated is returned |
Changed in keystone: | |
assignee: | nobody → rohita joshi (rjoshi16) |
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in keystone: | |
assignee: | rohita joshi (rjoshi16) → nobody |
To post a comment you must log in.
So it's not quite as simple as that. First a 401/403 basically means "you don't have authorization to do the thing you just tried to do". This could be that you are not authenticated, or that your are authenticated but don't have the role assignments (I.e. authorization) needed to carry out the action of the API".
For user/group API create calls, the Identity spec says that if the domain is not provided in the request body, then the domain that the token is scoped to will be used. So in this case, keystone is trying to say "So you didn't put the domain_id in the request body, and I looked at the token and the you don't have the required roles on the domain the token is scoped to execute that call on that domain". I guess you could argue that if the token is not domain scoped (i.e. project scoped), then we should issue a validation error. However, for backward compatibility reasons, in the case where you only have a project scoped token, we default to trying the default domain (this is not nice, and I'd like us to deprecate this bit). So in fact, what keystone is telling you is:
"So you didn't put the domain_id in the request body, and I looked at the token and the you don't have the required roles on the domain the token is scoped to execute that call on that domain, or if it's a project scoped token, then I checked the default domain and you don't have the required roles there either."
Since you have a valid token, I would have actually executed a 403 from your call (although I have a suspision we might coerce, in non debug mode, things to a 401 to not give attackers any clue as to where they are going wrong.....I need to check if that is true)