APIv3 compatibility broken in Mitaka and Liberty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Current API documentation [1] uses the fields "domain": { "id": "default" }, to select a domain.
This call works in Liberty as you can see in the following snippet:
curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "admin",
"domain": { "id": "default" },
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": { "id": "default" }
}
}
}
}' http://
HTTP/1.1 201 Created
X-Subject-Token: 8e861d59fb1847a
Vary: X-Auth-Token
X-Distribution: Ubuntu
Content-Type: application/json
Content-Length: 2794
X-Openstack-
Date: Tue, 28 Jun 2016 08:59:42 GMT
{"token": {"methods": ["password"], "roles": [{"id": "b1abb292e4af4e
but it's turned out that in mitaka it fails if you use the id field with the name of the domain:
curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "admin",
"domain": { "id": "default" },
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": { "id": "default" }
}
}
}
}' http://
HTTP/1.1 401 Unauthorized
Date: Tue, 28 Jun 2016 09:01:04 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-
WWW-Authenticate: Keystone uri="http://
Content-Length: 114
Content-Type: application/json
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
in order to work you need to use name instead id:
curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "admin",
"domain": { "name": "default" },
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": { "name": "default" }
}
}
}
}' http://
TTP/1.1 201 Created
Date: Tue, 28 Jun 2016 09:01:53 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: 0c293d9ceeba4a9
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-
Content-Length: 4155
Content-Type: application/json
{"token": {"methods": ["password"], "roles": [{"id": "444fc66b35834e
breaking all the compatibility
[1] http://
description: | updated |
What are the domain's actual ID and name? are you using a SQL backend that is case insensitive?
What happens with a non-default domain? Can you auth by ID with a non-default domain?