The check about project scope and domain scope has a problem
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Low
|
Prosunjit Biswas |
Bug Description
The keystone.
it as follows:
---
def token_to_
...
if token.project_
elif token.domain_
else:
...
---
However if the token includes the project_scoped and domain_scoped at the same time,it should raise an exception.
But now the above check code does not include the check when the project_scoped and domain_scoped exist at the same time .
Reference the api manual has the following description about scope.
---
The authorization scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain.
---
Changed in keystone: | |
assignee: | nobody → majianjun (mjjun) |
status: | New → In Progress |
Changed in keystone: | |
assignee: | nobody → Prosunjit Biswas (prosun-csedu) |
Changed in keystone: | |
status: | Incomplete → In Progress |
So I agree this is wrong....however, we need to be careful we correcting things like this in case we cause existing applications to fail. We should probably deprecate the "incorrect code" over two cycles, with issuing a warning in the log for now.