OpenStack Identity (keystone)

v2 default domain not respected via admin endpoint

Bug #1276244 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Henry Nash
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

So I'm not sure if this is a bug or a feature I just don't want, but it seems that requesting a tenant list via the v2.0 API via the admin endpoint doesn't respect the "default" domain, so you see projects for all domains:

[shardy@localhost ~]$ keystone --os-token f3aaf1597ad546f3a71dd7fd71c2af47 --os-endpoint http://127.0.0.1:5000/v2.0 tenant-list
+----------------------------------+-------+---------+
| id | name | enabled |
+----------------------------------+-------+---------+
| 20aedb59aeb247b1a5ec7332843ab092 | admin | True |
| b5d498f9631244b59912ce2a0025cf8d | demo | True |

+----------------------------------+-------+---------+
[shardy@localhost ~]$ keystone --os-token f3aaf1597ad546f3a71dd7fd71c2af47 --os-endpoint http://127.0.0.1:35357/v2.0 tenant-list
+----------------------------------+---------------------+---------+
| id | name | enabled |
+----------------------------------+---------------------+---------+
| 20aedb59aeb247b1a5ec7332843ab092 | admin | True |
| 620f89a53d35496493a7041bbd874568 | alt_demo | True |
| b5d498f9631244b59912ce2a0025cf8d | demo | True |
| b5caca84c0db4527a4d51200e9abdece | invisible_to_admin | True |
| cbbffb57ff0149f1b834898ea359c9e9 | notdefault11601 | True |
| be4cd31a14ab4ca9bdd93ed23c383f8c | notindefaultdomain | True |
| 2752427c70784ed696482dbf2420f8ac | notindefaultdomain2 | True |
| c8d527072b284247bd05441583eb0751 | notindefaultdomain3 | True |
| f7d52276b01c4931986000913a23deff | service | True |
+----------------------------------+---------------------+---------+

This is particularly confusing when combined with the magic properties of keystoneclient's --os-tenant-name option, which means that if you specify the admin tenant (openrc admin admin), then it selects the admin endpoint:

[shardy@localhost ~]$ keystone --os-username admin --os-password foobar --os-auth-url http://127.0.0.1:5000/v2.0 tenant-list
+----------------------------------+-------+---------+
| id | name | enabled |
+----------------------------------+-------+---------+
| 20aedb59aeb247b1a5ec7332843ab092 | admin | True |
| b5d498f9631244b59912ce2a0025cf8d | demo | True |
+----------------------------------+-------+---------+
[shardy@localhost ~]$ keystone --os-tenant-name admin --os-username admin --os-password foobar --os-auth-url http://127.0.0.1:5000/v2.0 tenant-list
+----------------------------------+---------------------+---------+
| id | name | enabled |
+----------------------------------+---------------------+---------+
| 20aedb59aeb247b1a5ec7332843ab092 | admin | True |
| 620f89a53d35496493a7041bbd874568 | alt_demo | True |
| b5d498f9631244b59912ce2a0025cf8d | demo | True |
| b5caca84c0db4527a4d51200e9abdece | invisible_to_admin | True |
| cbbffb57ff0149f1b834898ea359c9e9 | notdefault11601 | True |
| be4cd31a14ab4ca9bdd93ed23c383f8c | notindefaultdomain | True |
| 2752427c70784ed696482dbf2420f8ac | notindefaultdomain2 | True |
| c8d527072b284247bd05441583eb0751 | notindefaultdomain3 | True |
| f7d52276b01c4931986000913a23deff | service | True |
+----------------------------------+---------------------+---------+

Can anyone clarify if this is working as designed or a bug?

Revision history for this message
Dolph Mathews (dolph) wrote :

Need to figure out if havana & grizzly are affected as well

Changed in keystone:
importance: Undecided → High
status: New → Triaged
milestone: none → icehouse-3
Revision history for this message
Steven Hardy (shardy) wrote :

I don't have a grizzly install to test, but I did a quick test on a havana test box and it appears to behave the same.

Dolph Mathews (dolph)
tags: added: havana-backport-potential
Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/76577

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/76577
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dbbf1f002e9f60ae6ff7b2d7e0ada66fb6110d6a
Submitter: Jenkins
Branch: master

commit dbbf1f002e9f60ae6ff7b2d7e0ada66fb6110d6a
Author: Henry Nash <email address hidden>
Date: Wed Feb 26 16:35:22 2014 +0000

    Ensure v2 API only returns projects in the default domain

    The assignment backend already has a call ready and waiting for this, so
    it is just a matter of calling it.

    Fixes bug 1276244

    Change-Id: Ibff49202c8ca17df0344e48813916936edd3aa62

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.