OpenStack Identity (keystone)

Unable to list federated projects with unscoped token

Bug #1693704 reported by yangweiwei on 2017-05-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Undecided	Unassigned

Bug Description

When I got the federated user project list, the error is as bellow:

2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi result = method(req, **params)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in inner
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/federation/controllers.py", line 480, in list_projects_for_user
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi request.auth_context['group_ids'])
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi KeyError: 'group_ids'
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi

and I have got the token scoped in domain.

My mapping rule is as bellow:

[
{
    "local": [
                {
                   "user": {
                        "name": "{0}",
                        "domain": {
                            "name": "{1}"
                        },
                        "type": "local"
                    }
                }
            ],
    "remote": [
        {
            "type": "openstack_user"
        },
        {
            "type": "openstack_user_domain"
        }
    ]
}
]

The error is that token is an unscoped token which is got from the API “/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth” and then the federated user want to get the projects from /v3/OS-FEDERATION/projects. But error occurs.

See original description

yangweiwei (496176919-6) on 2017-05-26

Changed in keystone:
assignee:	nobody → yangweiwei (496176919-6)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/468290

Changed in keystone:
status:	New → In Progress

Lance Bragstad (lbragstad) on 2017-05-26

summary:

- fedetation list porjects for user
+ federation list projects for user

Lance Bragstad (lbragstad) on 2017-05-26

summary:

- federation list projects for user
+ Unable to list federated projects with domain-scoped token

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-06-28: Re: Unable to list federated projects with domain-scoped token

After reviewing this bug a bit more, I'm not sure we should allow the ability to list projects with a domain-scoped token. Domain-scoped tokens, as the name implies, are to be used within a specific domain. A domain contains projects but a federated user can have access to other projects in multiple domains. I don't think being able to list projects with a domain-scoped tokens makes sense in that case, because you're using a token scoped to a specific domain to get information *outside* of that domain.

I believe the KeyError here is coming from using GET /OS-FEDERATION/projects [0] instead of GET /auth/projects/. The GET /auth/projects API knows how to handle group ids and doesn't expect them to be in the token like the /OS-FEDERATION/projects API does. The /OS-FEDERATION/project and /OS-FEDERATION/domains APIs are both deprecated in favor of the /auth/projects and /auth/domains equivalents.

[0] https://github.com/openstack/keystone/blob/fece45d75c4ba893828cbdcbcccc6b97b8c06c68/keystone/federation/controllers.py#L477
[1] https://github.com/openstack/keystone/blob/fece45d75c4ba893828cbdcbcccc6b97b8c06c68/keystone/auth/controllers.py#L365

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-06-28:

Marking this as invalid based on the findings above, but we can keep using the thread for discussion if you have more questions about how the various OS-FEDERATION APIs work.

Changed in keystone:
status:	In Progress → Invalid

yangweiwei (496176919-6) on 2017-06-30

summary:	- Unable to list federated projects with domain-scoped token + Unable to list federated projects with unscoped token
description:	updated
Changed in keystone:
status:	Invalid → In Progress

yangweiwei (496176919-6) on 2017-06-30

description:

updated

Revision history for this message

yangweiwei (496176919-6) wrote on 2017-06-30:

The /OS-FEDERATION/project and /OS-FEDERATION/domains APIs are both deprecated. Why? I have seen it （/v3/OS-FEDERATION/projects） in https://developer.openstack.org/api-ref/identity/v3-ext/?expanded=request-an-unscoped-os-federation-token-detail,list-projects-a-federated-user-can-access-detail.

Maybe it is used for dealing with local and federated user differently.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-25:

From the link above:

"Deprecated in v1.1. Use core GET /auth/projects. This call has the same response format."

Can you recreate the issue above with the GET /auth/projects or GET /auth/domains APIs?

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-25:

Turns out we formally deprecated those APIs a long time ago. I did some digging and found the original commit to the documentation [0]. I proposed a patch that updates keystone to emit deprecation warnings on that API [1].

[0] https://review.openstack.org/#/c/115423/
[1] https://review.openstack.org/#/c/487219/

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-28:

Is there still an issue here? The bug title changed from what is being described in the bug description.

Changed in keystone:
status:	In Progress → Incomplete

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-30: Change abandoned on keystone (master)

Change abandoned by yangweiwei (<email address hidden>) on branch: master
Review: https://review.openstack.org/468290

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-30:

Change abandoned by yangweiwei (<email address hidden>) on branch: master
Review: https://review.openstack.org/469318

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-04-09:

#10

Automatically unassigning due to inactivity.

Changed in keystone:
assignee:	yangweiwei (496176919-6) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-06-09:

#11

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.