Attribute error on Token object when using domain scoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Henry Nash | ||
django-openstack-auth |
Invalid
|
Undecided
|
Unassigned | ||
oslo.policy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When making a policy check from Django OpenStack Auth with a domain scoped token, I'm seeing this error:
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute '__getitem__'
This only occurs when using the latest v3 policy file from Keystone [1], which currently contains this line:
"cloud_admin": "role:admin and (token.
When I revert that line back to what it is for stable/liberty, the issue goes away:
"cloud_admin": "rule:admin_
So there may be a case that's currently not handled when using the "token" string in policy files.
Info on variables that are set when calling the enforce method of oslo.policy [2]:
"if not enforcer_
(Pdb) action
'identity:
(Pdb) target
{'user_id': u'b2db130f48ac4
(Pdb) credentials
{'username': u'domain_admin', 'token': <openstack_
Version of oslo.policy:
$ pip show oslo.policy
---
Metadata-Version: 2.0
Name: oslo.policy
Version: 1.4.0
Summary: Oslo Policy library
Version of DOA:
$ pip show django-
---
Metadata-Version: 2.0
Name: django-
Version: 2.1.1
Summary: Django authentication backend for use with OpenStack Identity
[1] https:/
[2] https:/
Full stack trace from Horizon when using the domain scoped token and logging in as a domain admin of a domain other that the default domain (requires this patch to reproduce from Horizon: https:/
2016-02-19 19:54:20.935395 File "/opt/stack/
2016-02-19 19:54:20.935428 self.request):
2016-02-19 19:54:20.935449 File "/opt/stack/
2016-02-19 19:54:20.935470 return policy_
2016-02-19 19:54:20.935489 File "/usr/local/
2016-02-19 19:54:20.935510 enforcer[scope], action, target, domain_credentials)
2016-02-19 19:54:20.935530 File "/usr/local/
2016-02-19 19:54:20.935559 if not enforcer_
2016-02-19 19:54:20.935579 File "/usr/local/
2016-02-19 19:54:20.935599 result = self.rules[
2016-02-19 19:54:20.935619 File "/usr/local/
2016-02-19 19:54:20.935639 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935658 File "/usr/local/
2016-02-19 19:54:20.935679 return enforcer.
2016-02-19 19:54:20.935698 File "/usr/local/
2016-02-19 19:54:20.935727 if not rule(target, cred, enforcer):
2016-02-19 19:54:20.935747 File "/usr/local/
2016-02-19 19:54:20.935767 if rule(target, cred, enforcer):
2016-02-19 19:54:20.935786 File "/usr/local/
2016-02-19 19:54:20.935806 return self._find_
2016-02-19 19:54:20.935826 File "/usr/local/
2016-02-19 19:54:20.935846 return self._find_
2016-02-19 19:54:20.935866 File "/usr/local/
2016-02-19 19:54:20.935886 test_value = test_value[key]
2016-02-19 19:54:20.935905 TypeError: 'Token' object has no attribute '__getitem__'
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Ron De Rose (ronald-de-rose) |
Changed in keystone: | |
assignee: | Ron De Rose (ronald-de-rose) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Henry Nash (henry-nash) |
Changed in keystone: | |
assignee: | Henry Nash (henry-nash) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Henry Nash (henry-nash) |
I think leaving 'token. is_admin_ project: True' out of horizon and django- openstack- auth is probably the best work around for now.
Thanks for submitting this Brad.