OpenStack Identity (keystone)

Domain scope auth fails when use endpoint filter

Bug #1709801 reported by Martins Jakubovics on 2017-08-10

This bug affects 1 person

	Status	Importance	Assigned to
OpenStack Identity (keystone)	Invalid	Undecided	Martins Jakubovics
Newton	Won't Fix	Undecided	Martins Jakubovics
Ocata	New	Undecided	Unassigned

Bug Description

When use endpoint_filter.sql catalog driver in Newton and authenticate with domain scope, we fail to receive endpoints. Should be all endpoints instead.

Martins Jakubovics (martins-k) on 2017-08-10

Changed in keystone:
assignee:	nobody → Martins Jakubovics (martins-k)

Revision history for this message

Martins Jakubovics (martins-k) wrote on 2017-08-10:

Looks like such backport are unable to include in upstream, so if someone have same issue, here are solution:

diff --git a/keystone/contrib/endpoint_filter/backends/catalog_sql.py b/keystone/contrib/endpoint_filter/backends/catalog_sql.py
index b3c2ac5..028df36 100644
--- a/keystone/contrib/endpoint_filter/backends/catalog_sql.py
+++ b/keystone/contrib/endpoint_filter/backends/catalog_sql.py
@@ -34,8 +34,10 @@ class EndpointFilterCatalog(sql.Catalog):

services = {}

- dict_of_endpoint_refs = (self.catalog_api.
- list_endpoints_for_project(project_id))
+ dict_of_endpoint_refs = {}
+ if project_id:
+ dict_of_endpoint_refs = (self.catalog_api.
+ list_endpoints_for_project(project_id))

if (not dict_of_endpoint_refs and
CONF.endpoint_filter.return_all_endpoints_if_no_filter):

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-10: Fix proposed to keystone (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/492527

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-10:

The EndpointFilter catalog was removed in Pike [0] and the issue isn't reproducible in stable/ocata.

[0] https://github.com/openstack/keystone/commit/d35f36916e109f0d2557bb778424e7aee3bc6b31

Changed in keystone:
status:	New → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Change abandoned on keystone (stable/newton)

Change abandoned by Tony Breeds (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/492527
Reason: This branch (stable/newton) is at End Of Life

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.