python-keystoneclient

unable to list regions with unscoped token

Bug #1668442 reported by Lance Bragstad
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Invalid
Undecided
Unassigned

Bug Description

The default policy for list_regions in keystone is empty [0], meaning so long as the user is authenticated, they should be able to retrieve a list of regions. An authenticated user also doesn't *have* to be using a token scoped to a project or domain, it could simply be a user with an unscoped token.

While using keystoneauth and python-keystone client, listing regions requires a service catalog. Service catalogs are only supplied with project or domain scoped token, ultimately meaning keystoneauth and python-keystoneclient are expecting a scoped token to do something keystone allows with unscoped tokens. This can be recreated using both libraries [1]. We had a user hit this and brought this to our attention in IRC [2]

[0] https://github.com/openstack/keystone/blob/f89335b09de452c1aa9b163d5596cdd1d405a197/etc/policy.json#L14
[1] http://paste.openstack.org/show/h2HcNVH9c1C4UjOd5PSZ/
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-27.log.html#t2017-02-27T22:57:19

Revision history for this message
Jamie Lennox (jamielennox) wrote :

What's the use case though? A project scoped token can access multiple regions, via endpoint filtering this could mean that different regions are available to different people because really region is just a tag on an endpoint in the catalog.

What is the person trying to do that they would want to list endpoints in a normal token flow anyway?

From a client perspective this is relatively easy to do because you can fallback to the AUTH_INTERFACE like other calls do.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Not sure exactly what the use case was - but it just sounded like the user of the client was expecting to be able to list regions without having a scoped token (which is something you can do in the keystone API). His workaround was to get a scoped token, but I figured I'd open a bug so that the behavior was documented if we don't decide to change how the client lists regions.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

The only thing keystone has long allowed is unscoped tokens to create scoped tokens. I'm inclined to say this is simply invalid.

Changed in python-keystoneclient:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.