OpenStack Identity (keystone)

keystone list project api returns empty if "?name=" is added as url parameter

Bug #1681348 reported by Xiaoliang Li on 2017-04-10

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Won't Fix	Undecided	Unassigned

Bug Description

request: https://{{keystone_ip}}:5000/v3/projects?name=
expect: returns all projects of current user.
but: return empty.

Other OpenStack components obey this convention properly, so keystone is inconsistent with them.

Revision history for this message

Kristi Nikolla (knikolla) wrote on 2017-04-11:

#1

Hi Xiaoliang,

By all other OpenStack components do you mean, for example, listing volumes in cinder? In that case doing /v3/<project_id>/volumes will return all the volumes that you have access to within the project your token is scoped to. In cinder too, doing "?name=" will give you an empty list, since it will be querying for a volume named exactly "" (empty).

The /v3/projects API is for admins only. So when it is performed by an admin it will return all the projects in keystone regardless of user. When you use the "?name=" filter, it will query for a project **matching** exactly the name "" (empty) and failing to find one will correctly return an empty list.

If you are looking to get all projects of the current user you should use /v3/auth/projects.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-04-11:

#2

If you're looking for all projects a user has access to, we have a dedicated API for that per Kristi's comment:

GET http://{keystone_url}/v3/auth/projects

Feel free to re-open this if you believe this behavior is causing a bug of some sort.

Changed in keystone:
status:	New → Invalid

Revision history for this message

Xiaoliang Li (caitsithx) wrote on 2017-04-13:

#3

Hi Kristi,

please try: https://{{keystone_ip}}:9696/v2.0/networks?name=

I mean it makes user very confusing.

Changed in keystone:
status:	Invalid → New

Revision history for this message

Xiaoliang Li (caitsithx) wrote on 2017-04-13:

#4

also try:
nova: https://{{keystone_ip}}:8774/v2.1/{{os_project_id}}/servers?name=

looks keystone is consistent with glance and cinder in an "openstack" way, while neutron is consistent with nova in another way which is more common.

it's very confusing.

Revision history for this message

Xiaoliang Li (caitsithx) wrote on 2017-04-13:

#5

also for keystone:

https://{{keystone_ip}}:5000/v3/domains?enabled= is behaving differently, it returns all domains disregarding enabled/or disabled.

Thank you for Kristi's explanation. normally,

Since the url params are filtering strings, when the url param is appended but equals to <empty>, it implies that the filter is not applied. thus, it returns all values without filtering. I feel it's more a common way as nova/neutron is implemented.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-25:

#6

Is this still an issue in cinder and glance? Is there any communication happening across projects to address this concern?

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-08-09:

#7

Unfortunately, we cannot change the behavior without a microversion uspport or something similar. ?name= will need to maintain returning an empty list, as that is the contract. I am closing this as wont fix.

Changed in keystone:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.