project admin unable to fetch it's own domain

Bug #1810983 reported by Guang Yee on 2019-01-08
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad
Guang Yee
Guang Yee

Bug Description

NOTE: This bug impacts stable/rocky and possibly stable/queens release. Master branch is not impacted.

The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain" API no longer works in stable/rocky.

This resulted in domain admin unable to fetch his own domain. Looks like we switched over to oslo_context around stable/queens timeframe. And the token (TokenModel) is no longer in the auth_context which caused this rule to fail.


The problem was corrected recently in the master branch by this patch

where to token is added back to the auth_context.

Lance Bragstad (lbragstad) wrote :

On master, this is a duplicate bug [0], which has already been fixed [1].

Keeping this as a separate bug for now since the fix to the stable branches are going to be different. We can't backport the fix to master because it requires updated versions of oslo.policy.


Changed in keystone:
status: New → Fix Committed
importance: Undecided → Medium
Guang Yee (guang-yee) wrote :

After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.


This capability was taken away by the removal of KeystoneToken from the model by this patch.

KeystoneToken used to be a subclass of dict which stores the token ref json.

TokenModel, on the other hand, is an object.

From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context.to_policy_values() for credential match instead. So we can change the rule to either 'token.project.domain_id' or simply 'project_domain_id'.

summary: - domain admin unable to fetch domain
+ project admin unable to fetch it's own domain
Changed in keystone:
milestone: none → stein-3
milestone: stein-3 → stein-2
assignee: nobody → Lance Bragstad (lbragstad)

Submitter: Zuul
Branch: stable/rocky

commit a2e307ed4d526e21cddf7551f160b587b89360e4
Author: Guang Yee <email address hidden>
Date: Wed Jan 9 16:07:36 2019 -0800

    correct the admin_or_target_domain rule

    With the removal of KeystoneToken from the token model, we longer
    have the ability to use the token data syntax in the policy rules.
    This change broke backward compatibility for those is deploying
    customized Keystone policies. Unfortunately, we can't go back
    to KeystoneToken model as the change was tightly coupled with
    the other refactored authorization functionalities.

    Since the scope information is now available in the credential
    dictionary, we can just make use of it instead. Those who have
    custom policies must update their policy files accordingly.

    Change-Id: I83eae5c390d720da05e91264519ae01e8ca32159
    closes-bug: 1810983

Change abandoned by guang-yee (<email address hidden>) on branch: stable/queens
Reason: Not needed.

This issue was fixed in the openstack/keystone 14.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers