Public bug reported:
Some of the endpoints include tenant information and if we use domain
scoped token there is no tenant information. So the catalog doesn't
have any entry for those services for domain scoped token which looks
odd
Since domain scoped token is used only by identity, the better
Public bug reported:
{
" region" : {}
}
This is a valid request in kilo. But this no longer works in liberty.
Liberty is throwing "index_out_of_range" error which is re thrown as
schema validation error.
Public bug reported:
This bug is only for fernet token. Configure keystone to use fernet
token. Call any operation without passing a X-Auth-Token. It reports 500
error. It should throw 401
e.g curl -X DELEETE $OS_AUTH_URL/v3/projects/ Haneef Ali (haneef)
--
You received this bug notification
Public bug reported:
(keystone.common.wsgi): 2015-12-01 21:53:58,603 INFO wsgi __call__ GET
http://192.168.245.9:35357/v3/groups/42b6bb3bb70f487cbf9633bf55eb9ddc/users?name=admin
(keystone.common.wsgi): 2015-12-01 21:53:58,610 ERROR wsgi __call__ Entity
'' has no property
'name'
Traceback
Public bug reported:
This is applicable for UUID and PKI tokens.
Token table has extra column where we store role information. It is a
blob with 64K limit
Basically we can do the following
Say user is U, and Project is P
for i =1 to 1000 ( or any large number)
role x
Public bug reported:
CADF payload doesn't have initiator for any of the v2 calls.
e.g
1) v2 update user
2) This internally calls identity_driver.update_user without imitator
argument which is a default argument initialized to None
3) If we call v3 update user, then we pass
Public bug reported:
Keystone version discovery is broken if you configure admin_endpoint
and public_endpoint in conf file. Version discovery is supposed to
return the configured endpoint, but it will always return admin
endpoint. This bug is in Juno/Kilo/master. This is only applicable for
Public bug reported:
Now the recommended way to install keystone is via apache. But
httpd/keystone.py is not included when we do python setup.py install
in keystone. It should be included
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug
The exception doesn't haappen with new mapping
** Changed in: keystone
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1436141
Title:
Federation get
Public bug reported:
Relevant line in the code
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L158
Relevant logs
keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils process
rules: [{u'remote': [{u'type': u'openstack_user',
Public bug reported:
TypeError: token must be bytes.
(keystone.common.wsgi): 2015-03-13 03:04:16,968 ERROR token must be bytes.
Traceback (most recent call last):
File /usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py, line
238, in __call__
result = method(context, **params)
Public bug reported:
Revoke a project scoped token
You see 3 entries in revocation_event table
1) (id, user_id, project_id, role_id, issued_before)
2) (id, user_id,, issued_before)
3) (id, user_id,, issued_before)
2 3 are redundant. Definitely 3) is redundant as it is same as 2)
BTW, this
Public bug reported:
If you validate fernet token, the token response has 2 methods. Since
the token is obtained using the password method, the response should
only have password method
ex - token response
expires_at: 2015-03-14T03:06:39Z,
extras: {},
issued_at:
Public bug reported:
Eventhough dogpile caching is disabled, most of the calls generate the
following three lines
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-]
NeedRegenerationException _enter
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:94
Public bug reported:
In service table only ID is primary not type.
(i.e) I can create two service of type compute. Assume if I do so,
then horizon and other services clients will throw exception since
they don't know which service to pick it up.
Best to way to avoid this, is to not allow
Public bug reported:
Steps to reproduce
1) Enable domain specifc dirvers for identity
domain_specific_drivers_enabled = True
2) Add domain specific configuration files
3) Either get a token which as admin priveillage or ADMIN token
configured in keystone.conf
4) Use the token to go GET
Public bug reported:
If you enable messaging keystone creates a queue notificaiton.info
and sends a message with the routing key notification.info to the
queue.
As per rabbitmq, producer sends a message to an Exchange and
Consumer creates a queue and attaches to the exchange to receve the
Public bug reported:
There are 2 events in the path
# curl -k -H X-Auth-Token:SomeToken
http://localhost:35357/v3/OS-REVOKE/events | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total
Public bug reported:
Keystone uses same topic for both normal notificaiton and audit.
Ideally both should be in different topic. Both has different
security/persistence requirement
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification
Public bug reported:
issued_at field is only in v3, but v2 token response has issued_at. This
is not a major issue. But the format of the date is inconsistent
token: {
expires: 2014-10-08T00:51:35Z,
id: a94eec3993a74bf4b26f91bd485f3b6d,
issued_at:
Public bug reported:
Keystone is moving towards v3. Identity operations are supposed to use
domain scoped token and all the services are supposed to use tenant
scoped token. The concept of domain_admin will work only if you use
domain scoped token.
Most of l the keystone unit tests use v3
Public bug reported:
This is a wish list.
Since we are moving to v3, it is better to add v3 endpoint in
sample_data.sh. We still have only v2.0 endpoint.I don't think
keystoenclient will be affected since it doesn't use the endpoint from
catalog, but relies on version discovery
** Affects:
Public bug reported:
By default keystone gets the id from first field of DN. It doesn't use
user_id_attibute mapping from keystone.conf
In the following code, id attribute is always 1 element in DN
---Relevent code---
@staticmethod
def _dn_to_id(dn):
return
Public bug reported:
This is a wish list
We need certificates API to get the PKI certficates in the services. If
we depreicate v2.0 api, it will be odd, if the services rely on v2.0 api
to fetch certificates.
** Affects: keystone
Importance: Undecided
Status: New
--
You
Public bug reported:
In v2 policy.json owner is defined as
owner : user_id:%(user_id)s,
It should be
owner : user_id:%(user_id)s or user_id:%(target.token.user_id)s,
Affected APIs,
Using default v2 policy file a user can't delete his own token due to this
defect
** Affects:
Public bug reported:
V3 list_user filter by email throws excpetion. There is no such
attribute email.
keystone.common.wsgi): 2014-04-11 23:09:00,422 ERROR type object 'User' has no
attribute 'email'
Traceback (most recent call last):
File
Public bug reported:
Revoke token intermittently dumps stack trace. I don't see remove
method in RevokeTree object. May be I'm missing something
(keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has
no attribute 'remove'
Traceback (most recent call last):
File
Looks like this is fixed now in upstream on 3/8 by Morgan
** Changed in: keystone
Status: New = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1295212
Title:
Public bug reported:
Disable domain only revokes project scope token. It doesn't revoke
domain scoped tokens
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Public bug reported:
If you disable a domain, the users in the domain are not disabled.
** Affects: keystone
Importance: Undecided
Status: New
** Summary changed:
- disable domain
+ Disable domain doesn't disable users in the domain
--
You received this bug notification because
Public bug reported:
This is a feature request
We should alow user supplied domain_id/user_id. There are some policy
defintions in policy.v2.cloudadmin.json which relies on user being on
particular domain. We really don't want to have UUID in policy files
to identify the domain_id. One way
Public bug reported:
Why do we need CA key? In a real deployment I were to get a cert for
my server from Verisign, then verisign won't provide its key.
Basically the code should work without CA key.
I believe it is not required for ssl setup and signing.
[ssl]
#enable = True
#certfile =
Public bug reported:
This api is in the doc, but not in code
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1284895
Public bug reported:
Actually this is a wishlist.
We have caching in assignment and token. It will be really helpful if
we have caching in catalog as this is mostly static data. This will
greatly improve create token performance.
** Affects: keystone
Importance: Undecided
Public bug reported:
UserDomainGrant and GroupDomainGrant has foriegn key relation with
domains. So we can't delete a domain unless we remove the grants.
On deletedomain we need to
-- Delete users
-- Delete groups
-- Delete projects
which should take care of removal of foreign key
35 matches
Mail list logo