OpenStack Identity (keystone)

The check about project scope and domain scope has a problem

Bug #1489724 reported by majianjun on 2015-08-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Low	Prosunjit Biswas

Bug Description

The keystone.common.authorization.token_to_auth_context function has part check code about scope,
it as follows:
---
def token_to_auth_context(token):
    ...
    if token.project_scoped:
        auth_context['project_id'] = token.project_id
    elif token.domain_scoped:
        auth_context['domain_id'] = token.domain_id
    else:
        LOG.debug('RBAC: Proceeding without project or domain scope')
   ...
---

However if the token includes the project_scoped and domain_scoped at the same time,it should raise an exception.
But now the above check code does not include the check when the project_scoped and domain_scoped exist at the same time .
Reference the api manual has the following description about scope.
---
The authorization scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain.
---

majianjun (mjjun) on 2015-08-28

Changed in keystone:
assignee:	nobody → majianjun (mjjun)
status:	New → In Progress

Revision history for this message

Henry Nash (henry-nash) wrote on 2015-08-28:

So I agree this is wrong....however, we need to be careful we correcting things like this in case we cause existing applications to fail. We should probably deprecate the "incorrect code" over two cycles, with issuing a warning in the log for now.

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-08-31:

Can you provide an example or an API test to demonstrate that the proposed check ("when the project_scoped and domain_scoped exist at the same time") would even be reachable?

Changed in keystone:
status:	In Progress → Incomplete
importance:	Undecided → Low

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-21:

unassigning due to inactivity

Changed in keystone:
assignee:	majianjun (mjjun) → nobody

Prosunjit Biswas (prosun-csedu) on 2016-03-07

Changed in keystone:
assignee:	nobody → Prosunjit Biswas (prosun-csedu)

Prosunjit Biswas (prosun-csedu) on 2016-03-08

Changed in keystone:
status:	Incomplete → In Progress

Revision history for this message

Prosunjit Biswas (prosun-csedu) wrote on 2016-03-09:

The code presented in the bug description favors project scope when both project and domain scopes are available in the token. I found, this is quite a violation of the documentation presented in http://developer.openstack.org/api-ref-identity-v3.html

I wonder, what is the problem if we favor project scope (which is more restricted) over domain scope when both are presented (which the code already does)?

Revision history for this message

Brant Knudson (blk-u) wrote on 2016-03-11:

This should not be marked in progress since there's no review proposed. Still need an answer to comment 2.

Changed in keystone:
status:	In Progress → Incomplete

Revision history for this message

Prosunjit Biswas (prosun-csedu) wrote on 2016-03-21:

On the findings of comment #2, when requested for a token for

(1). project scope, existing token generation method returns token under valid credential
Token request curl command and returned token is available here: https://gist.github.com/Prosunjit/f5b859089ec340dd6584

(2). domain scope, existing token generation method returns token under valid credential.
Token request curl command and returned token is available here: https://gist.github.com/Prosunjit/7bfab9d4c23379da21dc

(3). When both project and domain scope is presented, exiting code returns 400 as specified in the API.
Token request curl command and return status is available here: https://gist.github.com/Prosunjit/52e0f129e7836a5a0c3c

Code Review:

In file: keystone/keystone/auth/controllers.py
In function: authenticate_for_token

AuthInfo.create() command generates token for incoming token request. When both domain and project scope are present existing code DO check this in the following code and return output following the specification.

def _validate_and_normalize_scope_data(self):

"""Validate and normalize scope data."""

if 'scope' not in self.auth:

return

if sum(['project' in self.auth['scope'],

'domain' in self.auth['scope'],

'unscoped' in self.auth['scope'],

'OS-TRUST:trust' in self.auth['scope']]) != 1:

raise exception.ValidationError(

attribute='project, domain, OS-TRUST:trust or unscoped',

target='scope')

So, I think, this bug fails to demonstrate its existence.

Changed in keystone:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.