keystoneauth

[api] scoped string defined as 'unscope: {}'

Bug #1637682 reported by chenyujie on 2016-10-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Samriddhi
	keystoneauth	Fix Released	Low	Samriddhi

Bug Description

keystoneauth1/identity/v3/base.py:
...
elif self.unscoped:
body['auth']['scope'] = {'unscoped': {}}
...

According to Identity API v3 spec( http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=password-authentication-with-unscoped-authorization-detail,password-authentication-with-scoped-authorization-detail ), there should be no '{'scope': {'unscoped': {}}' in 'auth'. For some keystone version which is strictly following the spec, it would be an security error, so the code slice should be deleted.

Tags:

Revision history for this message

chenyujie (gzyjchen) wrote on 2016-10-29:

base.py Edit (11.0 KiB, text/plain)

Changed in keystoneauth:
assignee:	nobody → chenyujie (gzyjchen)

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-10-31:

In this case, the API needs to be updated, it should include the "unscoped" option: https://github.com/openstack/keystone/blob/master/api-ref/source/v3/authenticate-v3.inc

The issue here is that we moved our APIs from one repo to another and some content went missing in the transition.

Information about "unscoped" in the old API is here: https://github.com/openstack/keystone-specs/blob/master/attic/v3/identity-api-v3.rst#unscoped

Changed in keystoneauth:
status:	New → Invalid
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Low
Changed in keystoneauth:
assignee:	chenyujie (gzyjchen) → nobody
tags:	added: api-ref documentation

guoshan (guoshan) on 2016-11-24

Changed in keystone:
assignee:	nobody → guoshan (guoshan)

Steve Martinelli (stevemar) on 2017-01-22

summary:

- scoped string defined as 'unscope: {}'
+ [api] scoped string defined as 'unscope: {}'

Samuel de Medeiros Queiroz (samueldmq) on 2017-03-25

Changed in keystone:
assignee:	guoshan (guoshan) → nobody

Revision history for this message

Samuel de Medeiros Queiroz (samueldmq) wrote on 2017-03-25:

Unassigned due to inactivity.

Samriddhi (s-jain) on 2017-03-25

Changed in keystone:
assignee:	nobody → Samriddhi (s-jain)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/450038

OpenStack Infra (hudson-openstack) on 2017-03-29

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

Samuel de Medeiros Queiroz (samueldmq) wrote on 2017-03-29:

There is something weird to me here yet.

The mentioned keystoneauth code is creating the following body for an explicit unscoped token request:

{
    "auth": {
        "identity": {
            ...
        },
        "scope": {'unscoped': {}}
    }
}

While our example in docs [1] mention:

{
    "auth": {
        "identity": {
            ...
        },
        "scope": "unscoped"
    }
}

Notice keystoneauth1 does {'unscoped': {}} while keystone server specifies 'unscoped'.

Luckily our code [2] in keystone server checks 'unscoped' in self.auth['scope'], which works with both representations:

>>> 'unscoped' in {'unscoped':{}}
True
>>> 'unscoped' in 'unscoped'
True
>>>

I wonder if that is something we would like to fix in order to make them consistent.
I'd vote for that, a patch in keystoneauth1, besides the doc improvement proposed would be great.

[1] https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=password-authentication-with-explicit-unscoped-authorization-detail

[2] https://github.com/openstack/keystone/blob/ca35d00/keystone/auth/core.py#L235-L244

Revision history for this message

David Stanek (dstanek) wrote on 2017-03-29:

I agree with the change to keystoneauth. We just got lucky that keystone is very liberal with the values that it expects.

We might also was to put a comment in the schema.py (assuming there is one) that validates this input to say not to make it strictly a string. That way we don't break when old versions of keystoneauth are in use.

Revision history for this message

Nisha Yadav (ynisha11) wrote on 2017-03-30:

Thanks Samuel for describing the complete scenario, seeing this patch and then the docs made me wonder and bit confused.

I like David's idea too, to put the comments. Thanks!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-03: Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/452652

Changed in keystoneauth:
assignee:	nobody → Samriddhi (s-jain)
status:	Invalid → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-23: Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/452652
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=d0cdc355a4f7a4fcb03c65b8994de436f4b00a52
Submitter: Jenkins
Branch: master

commit d0cdc355a4f7a4fcb03c65b8994de436f4b00a52
Author: Samriddhi <email address hidden>
Date: Mon Apr 3 14:42:37 2017 +0530

Updated inconsistent value of scope parameter

    For explicit unscoped authentication, the keystome server
    specifies the scope parameter value as 'unscoped'. However
    keystoneauth1 initialises it to {'unscoped': {}}. This
    patch removes this inconsistency.

    Updated the corresponding test for unscoped request which
    checks the scope parameter in auth to match the 'unscoped'
    string.

Partial-Bug #1637682

Change-Id: I1c9d89fd86773f4acecbefcdad4dca6cff16b58d

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-25: Fix merged to keystone (master)

#10

Reviewed: https://review.openstack.org/450038
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8da2c6d5cc33ee84d1e241c120c1e462016a7c1c
Submitter: Jenkins
Branch: master

commit 8da2c6d5cc33ee84d1e241c120c1e462016a7c1c
Author: SamriddhiJain <email address hidden>
Date: Sun Mar 26 23:49:06 2017 +0530

Updated scope parameter description in v3 API-ref

    The description of scope parameter in the API docs is inconsistent for
    scoped and explicit unscoped authorization. It doesn't explain clearly
    when the parameter should be set to keyword 'unscoped' (explicit
    unscoped authorization) and when to include ID/name of the project/
    domain (scoped authorization). This patch covers the required update
    for the scope parameter by introducing separate descriptions for the
    above mentioned cases.

    For explicit unscoped authorization, the keystone server specifies
    scope value as 'unscoped' whereas in some old versions of keystoneauth
    the value is {'unscoped': {}}. Added a comment to keystone/auth/schema.py
    to make sure the type of scope parameter is object and not string, so
    that it is consistent with older versions too.

    In v3 API docs the case for token authentication with explicit unscoped
    authorization is missing. Added documentation and request example for
    that case.

Partial-Bug #1637682

Change-Id: I10d38e4cc59934c421443322b14f4f971acf3a29

Samriddhi (s-jain) on 2017-05-16