OpenStack Identity (keystone)

domain-scoped token has "None" for tenant_id replacement

Bug #1261468 reported by Brant Knudson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dave Chen
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

When I get a domain-scoped token, I get back a catalog. The catalog contains a bunch of endpoints that aren't valid because the tenant_id replacement has been changed to "None" rather than a valid tenant-id.

Here's an example of the data in the auth request:

{
    "token": {
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "247c60ab8ce94cac9bd6de51ad3a5da4",
                        "interface": "internal",
                        "legacy_endpoint_id": "677bffa798da42c594fb536f9e549f84",
                        "region": "RegionOne",
                        "url": "http://192.168.122.176:8774/v2/None"
                    },
                    ...
                ],
                "id": "425a93743a7d46708d55f7f099bf1a07",
                "type": "compute"
            },
            ...
}

The compute endpoint in Keystone is like this:

| 677bffa798da42c594fb536f9e549f84 | RegionOne | http://192.168.122.176:8774/v2/$(tenant_id)s | http://192.168.122.176:8774/v2/$(tenant_id)s | http://192.168.122.176:8774/v2/$(tenant_id)s | 425a93743a7d46708d55f7f099bf1a07 |

So it's replacing "$(tenant_id)s" with "None"

I don't think this is working as designed. What's the point of providing a bunch of invalid endpoints?

Revision history for this message
Dolph Mathews (dolph) wrote :

Ideally we wouldn't have client-specific endpoints in the catalog at all, and drop support for this behavior entirely. However, in the short term... maybe just skip endpoints that expect to be string formatted with information that's not available?

Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Dave Chen (wei-d-chen)
Changed in keystone:
assignee: nobody → Dave Chen (wei-d-chen)
Revision history for this message
Dave Chen (wei-d-chen) wrote :

Dolph, what do you mean by client-specific endpints? would pls share more on how this reference with this domain-scoped token? thanks.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/144860

Changed in keystone:
status: Confirmed → In Progress
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-3
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-3 → kilo-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/144860
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a06d5b5c248df2813e40b6255c3db6482b6bb0ff
Submitter: Jenkins
Branch: master

commit a06d5b5c248df2813e40b6255c3db6482b6bb0ff
Author: Dave Chen <email address hidden>
Date: Sun Jan 4 22:18:46 2015 +0800

    Don't add unformatted project-specific endpoints to catalog

    If a token is domain-scoped, there is no project defined.
    Hence for any catalog entries, we should skip any endpoints
    that need a project id in order to be formatted correctly.

    Co-Authored-By: Henry Nash <email address hidden>
    Change-Id: I3617a2509bfc4213f136b5c867c40d478a70ded8
    Closes-Bug: #1261468

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.