[Yahoo-eng-team] [Bug 1536300] [NEW] Catalog response is inconsistent for domain scoped token
Public bug reported: Some of the endpoints include tenant information and if we use domain scoped token there is no tenant information. So the catalog doesn't have any entry for those services for domain scoped token which looks odd Since domain scoped token is used only by identity, the better apprach would be to include just identity catalog for domain scoped token. e.g Given below is the current response for domain scoped token. What is heat service's endpoint from this response? | heat | orchestration | | | nova | compute | | | cinder | volume| | || | internal: http://10.240.20.2:9090 | || | region1 | || | public: https://myhelion.test:9090 | || | region1 | || | admin: http://10.240.20.2:9090 | | ceilometer | metering | region1 | || | internal: http://10.240.20.2:8777/ | || | region1 | || | admin: http://10.240.20.2:8777/| || | region1 | || | public: https://myhelion.test:8777/| || | | | glance | image | region1 | || | public: https://myhelion.test:9292 | || | region1 | || | internal: http://10.240.20.2:9292 | || | region1 | || | admin: http://10.240.20.2:9292 | || | | ** Affects: keystone Importance: Undecided Status: New ** Description changed: Some of the endpoints include tenant information and if we use domain scoped token there is no tenant information. So the catalog doesn't have any entry for those services for domain scoped token which looks odd - - Since domain scoped token is used only by identity, the better apprach would be to include just identity catalog for domain scoped token. + Since domain scoped token is used only by identity, the better apprach + would be to include just identity catalog for domain scoped token. e.g Given below is the current response for domain scoped token. What is heat service's endpoint from this response? | heat | orchestration | | | nova | compute | | | cinder | volume| | || | internal: http://10.240.20.2:9090 | || | region1 | || | public: https://myhelion.test:9090 | || | region1 | || | admin: http://10.240.20.2:9090 | | ceilometer | metering | region1 | || | internal: http://10.240.20.2:8777/ | || | region1 | || | admin: http://10.240.20.2:8777/| || | region1 | || | public: https://myhelion.test:8777/| || | | | glance | image | region1 | || | public: https://myhelion.test:9292 | || | region1 | || | internal: http://10.240.20.2:9292 | || | region1 | || | admin: http://10.240.20.2:9292 | || | | -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1536300 Title: Catalog response is inconsistent for domain scoped token Status in OpenStack Identity (k
[Yahoo-eng-team] [Bug 1528661] [NEW] Create region throws schema validation error for empty region
Public bug reported: { " region" : {} } This is a valid request in kilo. But this no longer works in liberty. Liberty is throwing "index_out_of_range" error which is re thrown as schema validation error. https://github.com/openstack/keystone/blob/master/keystone/common/validation/__init__.py#L56 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1528661 Title: Create region throws schema validation error for empty region Status in OpenStack Identity (keystone): New Bug description: { " region" : {} } This is a valid request in kilo. But this no longer works in liberty. Liberty is throwing "index_out_of_range" error which is re thrown as schema validation error. https://github.com/openstack/keystone/blob/master/keystone/common/validation/__init__.py#L56 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1528661/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1526976] [NEW] Any operation without token fails with internal server error for fernet token
Public bug reported: This bug is only for fernet token. Configure keystone to use fernet token. Call any operation without passing a X-Auth-Token. It reports 500 error. It should throw 401 e.g curl -X DELEETE $OS_AUTH_URL/v3/projects/ Haneef Ali (haneef) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1526976 Title: Any operation without token fails with internal server error for fernet token Status in OpenStack Identity (keystone): New Bug description: This bug is only for fernet token. Configure keystone to use fernet token. Call any operation without passing a X-Auth-Token. It reports 500 error. It should throw 401 e.g curl -X DELEETE $OS_AUTH_URL/v3/projects/https://bugs.launchpad.net/keystone/+bug/1526976/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1521772] [NEW] List users in a group by name throws HTTP 500 error
Public bug reported: (keystone.common.wsgi): 2015-12-01 21:53:58,603 INFO wsgi __call__ GET http://192.168.245.9:35357/v3/groups/42b6bb3bb70f487cbf9633bf55eb9ddc/users?name=admin (keystone.common.wsgi): 2015-12-01 21:53:58,610 ERROR wsgi __call__ Entity '' has no property 'name' Traceback (most recent call last): File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py", line 248, in __call__ result = method(context, **params) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/controller.py", line 207, in wrapper return f(self, context, filters, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/controllers.py", line 233, in list_users_in_group refs = self.identity_api.list_users_in_group(group_id, hints=hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/manager.py", line 58, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 433, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 444, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 1123, in list_users_in_group ref_list = driver.list_users_in_group(entity_id, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/backends/sql.py", line 226, in list_users_in_group query = sql.filter_limit_query(User, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 410, in filter_limit_query query = _filter(model, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 362, in _filter query = query.filter_by(**filter_dict) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 1345, in filter_by for key, value in kwargs.items()] File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/base.py", line 383, in _entity_descriptor (description, key) InvalidRequestError: Entity '' has no property 'name' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1521772 Title: List users in a group by name throws HTTP 500 error Status in OpenStack Identity (keystone): New Bug description: (keystone.common.wsgi): 2015-12-01 21:53:58,603 INFO wsgi __call__ GET http://192.168.245.9:35357/v3/groups/42b6bb3bb70f487cbf9633bf55eb9ddc/users?name=admin (keystone.common.wsgi): 2015-12-01 21:53:58,610 ERROR wsgi __call__ Entity '' has no property 'name' Traceback (most recent call last): File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py", line 248, in __call__ result = method(context, **params) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/controller.py", line 207, in wrapper return f(self, context, filters, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/controllers.py", line 233, in list_users_in_group refs = self.identity_api.list_users_in_group(group_id, hints=hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/manager.py", line 58, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 433, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 444, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 1123, in list_users_in_group ref_list = driver.list_users_in_group(entity_id, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/backends/sql.py", line 226, in list_users_in_group query = sql.filter_limit_query(User, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 410, in filter_limit_query query = _filter(model, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 362, in _filter query = query.filter_by(**filter_dict) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 1345, in filt
[Yahoo-eng-team] [Bug 1499555] [NEW] You can crash keystone or make the DB very slow by assigning many roles
Public bug reported: This is applicable for UUID and PKI tokens. Token table has extra column where we store role information. It is a blob with 64K limit Basically we can do the following Say user is U, and Project is P for i =1 to 1000 ( or any large number) role x = create role i with some large name assign role x for user U and Project P create a project scoped token for user U ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1499555 Title: You can crash keystone or make the DB very slow by assigning many roles Status in Keystone: New Bug description: This is applicable for UUID and PKI tokens. Token table has extra column where we store role information. It is a blob with 64K limit Basically we can do the following Say user is U, and Project is P for i =1 to 1000 ( or any large number) role x = create role i with some large name assign role x for user U and Project P create a project scoped token for user U To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1499555/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1485035] [NEW] cadf payload doesn't have initiator for v2 calls
Public bug reported: CADF payload doesn't have initiator for any of the v2 calls. e.g 1) v2 update user 2) This internally calls identity_driver.update_user without imitator argument which is a default argument initialized to None 3) If we call v3 update user, then we pass initiator. So cadf payload for v3 has initiator ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1485035 Title: cadf payload doesn't have initiator for v2 calls Status in Keystone: New Bug description: CADF payload doesn't have initiator for any of the v2 calls. e.g 1) v2 update user 2) This internally calls identity_driver.update_user without imitator argument which is a default argument initialized to None 3) If we call v3 update user, then we pass initiator. So cadf payload for v3 has initiator To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1485035/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1483860] [NEW] Keystone version discovery is broken if you configure admin_endpoint and public_endpoint in conf file
Public bug reported: Keystone version discovery is broken if you configure admin_endpoint and public_endpoint in conf file. Version discovery is supposed to return the configured endpoint, but it will always return "admin" endpoint. This bug is in Juno/Kilo/master. This is only applicable for v3 In master -- Please have a look at https://github.com/openstack/keystone/blob/master/keystone/service.py#L130 V3 doesn't have public and admin factories. There is only one factory and we are installing only Version("public"), so it is always going to return public_endpoint configured in conf file Juno -- In juno it is bit different https://github.com/openstack/keystone/blob/stable/juno/keystone/service.py#L114 We are installing both "Version(Public") and Version("Admin") at /v3. First will take prcedence and here we will always get "admin" endpoint. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1483860 Title: Keystone version discovery is broken if you configure admin_endpoint and public_endpoint in conf file Status in Keystone: New Bug description: Keystone version discovery is broken if you configure admin_endpoint and public_endpoint in conf file. Version discovery is supposed to return the configured endpoint, but it will always return "admin" endpoint. This bug is in Juno/Kilo/master. This is only applicable for v3 In master -- Please have a look at https://github.com/openstack/keystone/blob/master/keystone/service.py#L130 V3 doesn't have public and admin factories. There is only one factory and we are installing only Version("public"), so it is always going to return public_endpoint configured in conf file Juno -- In juno it is bit different https://github.com/openstack/keystone/blob/stable/juno/keystone/service.py#L114 We are installing both "Version(Public") and Version("Admin") at /v3. First will take prcedence and here we will always get "admin" endpoint. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1483860/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1441733] [NEW] pip install or python setup.py install should include httpd/keystone.py
Public bug reported: Now the recommended way to install keystone is via apache. But httpd/keystone.py is not included when we do python setup.py install in keystone. It should be included ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1441733 Title: pip install or python setup.py install should include httpd/keystone.py Status in OpenStack Identity (Keystone): New Bug description: Now the recommended way to install keystone is via apache. But httpd/keystone.py is not included when we do python setup.py install in keystone. It should be included To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1441733/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1436141] Re: Federation get unscoped token from assertion throws : ERROR tuple index out of range
The exception doesn't haappen with new mapping ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1436141 Title: Federation get unscoped token from assertion throws : ERROR tuple index out of range Status in OpenStack Identity (Keystone): Invalid Bug description: Relevant line in the code https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L158 Relevant logs keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils process rules: [{u'remote': [{u'type': u'openstack_user', u'any_one_of': [u'user1', u'admin']}], u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'id': u'a9b7c29b5e2d4094a66e240d2827c622'}}]}] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'user': {u'name': u'{0}'}} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'name': u'{0}'} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils __getitem__ [] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,921 DEBUG utils __getitem__ 0 (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR wsgi __call__ tuple index out of range Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__ result = method(context, **params) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication return self.authenticate_for_token(context, auth=auth) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 502, in authenticate auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate self.identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token federation_api, identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter mapped_properties = rule_processor.process(assertion) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 453, in process new_local = self._update_local_mapping(local, direct_maps) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 595, in _update_local_mapping new_value = self._update_local_mapping(v, direct_maps) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 597, in _update_local_mapping new_value = v.format(*direct_maps) IndexError: tuple index out of range (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR tuple index out of range To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1436141/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1436141] [NEW] Federation get unscoped token from assertion throws : ERROR tuple index out of range
Public bug reported: Relevant line in the code https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L158 Relevant logs keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils process rules: [{u'remote': [{u'type': u'openstack_user', u'any_one_of': [u'user1', u'admin']}], u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'id': u'a9b7c29b5e2d4094a66e240d2827c622'}}]}] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'user': {u'name': u'{0}'}} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'name': u'{0}'} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils __getitem__ [] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,921 DEBUG utils __getitem__ 0 (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR wsgi __call__ tuple index out of range Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__ result = method(context, **params) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication return self.authenticate_for_token(context, auth=auth) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 502, in authenticate auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate self.identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token federation_api, identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter mapped_properties = rule_processor.process(assertion) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 453, in process new_local = self._update_local_mapping(local, direct_maps) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 595, in _update_local_mapping new_value = self._update_local_mapping(v, direct_maps) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py", line 597, in _update_local_mapping new_value = v.format(*direct_maps) IndexError: tuple index out of range (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR tuple index out of range ** Affects: keystone Importance: Undecided Status: New ** Summary changed: - Federation get unscoped token from assertion throws (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'user': {u'name': u'{0}'}} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping direct_maps: (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils _update_local_mapping local: {u'name': u'{0}'} (keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils __getitem__ [] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,921 DEBUG utils __getitem__ 0 (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR wsgi __call__ tuple index out of range Traceback (most recent call last): File "/usr/local/lib/python2 .7/dist-packages/keystone/common/wsgi.py", line 239, in __call__ result = method(context, **params) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py", line 267, in federated_authentication return self.authenticate_for_token(context, auth=auth) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 502, in authenticate auth_context) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 70, in authenticate self.identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token federation_api, identity_api) File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line 193, in apply_mapping_filter mapped_propert ies = rule_processor.process(assertion) File "/usr/local/lib/python2.7/dist-packages/keystone/
[Yahoo-eng-team] [Bug 1431669] [NEW] Create saml assertion doesn't work with fernet token
Public bug reported: TypeError: token must be bytes. (keystone.common.wsgi): 2015-03-13 03:04:16,968 ERROR token must be bytes. Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__ result = method(context, **params) File "/usr/local/lib/python2.7/dist-packages/keystone/common/validation/__init__.py", line 36, in wrapper return func(*args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py", line 328, in create_saml_assertion token_data = self.token_provider_api.validate_token(token_id) File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py", line 196, in validate_token token = self._validate_token(unique_id) File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1040, in decorate should_cache_fn) File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 651, in get_or_create async_creator) as value: File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__ return self._enter() File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter generated = self._enter_create(createdtime) File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create created = self.creator() File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 619, in gen_value created_value = creator() File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1036, in creator return fn(*arg, **kw) File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py", line 257, in _validate_token return self.driver.validate_v3_token(token_id) File "/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 150, in validate_v3_token token_formatter.validate_token(token_str)) File "/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", line 223, in validate_token payload = self.unpack(token_string) File "/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", line 125, in unpack decrypted_token = self.crypto.decrypt(token_string) File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line 138, in decrypt return f.decrypt(msg, ttl) File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line 75, in decrypt raise TypeError("token must be bytes.") TypeError: token must be bytes. ** Affects: keystone Importance: Undecided Status: New ** Tags: fernet ** Tags added: fernet -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1431669 Title: Create saml assertion doesn't work with fernet token Status in OpenStack Identity (Keystone): New Bug description: TypeError: token must be bytes. (keystone.common.wsgi): 2015-03-13 03:04:16,968 ERROR token must be bytes. Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__ result = method(context, **params) File "/usr/local/lib/python2.7/dist-packages/keystone/common/validation/__init__.py", line 36, in wrapper return func(*args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py", line 328, in create_saml_assertion token_data = self.token_provider_api.validate_token(token_id) File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py", line 196, in validate_token token = self._validate_token(unique_id) File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1040, in decorate should_cache_fn) File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 651, in get_or_create async_creator) as value: File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__ return self._enter() File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter generated = self._enter_create(createdtime) File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create created = self.creator() File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 619, in gen_value created_value = creator() File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1036, in creator return fn(*arg, **kw) File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py", line 257, in _validate_token return self.driver.validate_v3_token(token_id) File "/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/
[Yahoo-eng-team] [Bug 1430951] [NEW] Revocation causes duplicate events in revocation table
Public bug reported: Revoke a project scoped token You see 3 entries in revocation_event table 1) (id, user_id, project_id, role_id, issued_before) 2) (id, user_id,, issued_before) 3) (id, user_id,, issued_before) 2 & 3 are redundant. Definitely 3) is redundant as it is same as 2) BTW, this from master branch as of 3/11/2015 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1430951 Title: Revocation causes duplicate events in revocation table Status in OpenStack Identity (Keystone): New Bug description: Revoke a project scoped token You see 3 entries in revocation_event table 1) (id, user_id, project_id, role_id, issued_before) 2) (id, user_id,, issued_before) 3) (id, user_id,, issued_before) 2 & 3 are redundant. Definitely 3) is redundant as it is same as 2) BTW, this from master branch as of 3/11/2015 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1430951/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1430433] [NEW] Fernet token validation doesn't return catalog and role information for domain scoped tokens
Public bug reported: root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 292 100 2920 0154 0 0:00:01 0:00:01 --:--:-- 154 { "token": { "audit_ids": [ "c5zfY85bTrm_q8pAy2hk-A" ], "expires_at": "2015-03-14T20:44:40Z", "extras": {}, "issued_at": "2015-03-10T16:44:40Z", "methods": [ "password", "token" ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "ad89796c89e7422bb8b9f1bbf9d84bf6", "name": "admin" } } } root@4d4627c10662:/etc/keystone# ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1430433 Title: Fernet token validation doesn't return catalog and role information for domain scoped tokens Status in OpenStack Identity (Keystone): New Bug description: root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 292 100 2920 0154 0 0:00:01 0:00:01 --:--:-- 154 { "token": { "audit_ids": [ "c5zfY85bTrm_q8pAy2hk-A" ], "expires_at": "2015-03-14T20:44:40Z", "extras": {}, "issued_at": "2015-03-10T16:44:40Z", "methods": [ "password", "token" ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "ad89796c89e7422bb8b9f1bbf9d84bf6", "name": "admin" } } } root@4d4627c10662:/etc/keystone# To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1430433/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1430062] [NEW] Fernet token response has wrong methods
Public bug reported: If you validate fernet token, the token response has 2 methods. Since the token is obtained using the "password" method, the response should only have "password" method ex - token response "expires_at": "2015-03-14T03:06:39Z", "extras": {}, "issued_at": "2015-03-09T23:06:39Z", "methods": [ "password", "token" ], ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1430062 Title: Fernet token response has wrong methods Status in OpenStack Identity (Keystone): New Bug description: If you validate fernet token, the token response has 2 methods. Since the token is obtained using the "password" method, the response should only have "password" method ex - token response "expires_at": "2015-03-14T03:06:39Z", "extras": {}, "issued_at": "2015-03-09T23:06:39Z", "methods": [ "password", "token" ], To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1430062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1418678] [NEW] Most of the keystone calls generate exception in dogpile when caching is disabled
Public bug reported: Eventhough dogpile caching is disabled, most of the calls generate the following three lines 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] NeedRegenerationException _enter /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:94 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] no value, waiting for create lock _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:127 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] value creation lock acquired _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:131 2015-02-03 15:17:13.042 30043 DEBUG dogpile.core.dogpile [-] Calling creation function _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:148 2015-02-03 15:17:13.048 30043 DEBUG dogpile.core.dogpile [-] Released creation lock _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:154 Worrying aspect in this log is "NeedRegenerationException" Related code fragment from doppile is --- def _enter(self): value_fn = self.value_and_created_fn try: value = value_fn() value, createdtime = value except NeedRegenerationException: log.debug("NeedRegenerationException") value = NOT_REGENERATED createdtime = -1 This is obvious exception , it is throwing error since caching is disabled and there is no key. Is there a way to bypass this code when caching is disabled? This can very well be a performance problem as this exception is generated for almost every call . ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1418678 Title: Most of the keystone calls generate exception in dogpile when caching is disabled Status in OpenStack Identity (Keystone): New Bug description: Eventhough dogpile caching is disabled, most of the calls generate the following three lines 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] NeedRegenerationException _enter /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:94 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] no value, waiting for create lock _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:127 2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] value creation lock acquired _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:131 2015-02-03 15:17:13.042 30043 DEBUG dogpile.core.dogpile [-] Calling creation function _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:148 2015-02-03 15:17:13.048 30043 DEBUG dogpile.core.dogpile [-] Released creation lock _enter_create /opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:154 Worrying aspect in this log is "NeedRegenerationException" Related code fragment from doppile is --- def _enter(self): value_fn = self.value_and_created_fn try: value = value_fn() value, createdtime = value except NeedRegenerationException: log.debug("NeedRegenerationException") value = NOT_REGENERATED createdtime = -1 This is obvious exception , it is throwing error since caching is disabled and there is no key. Is there a way to bypass this code when caching is disabled? This can very well be a performance problem as this exception is generated for almost every call . To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1418678/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1402757] [NEW] Log message for token_flush is wrong
Public bug reported: Token flush is done in batches. We are logging both the number of tokens that are deleted in a batch and total number of tokens deleted. But the log message logs total tokens flushed in both the places ** Affects: keystone Importance: Undecided Assignee: Haneef Ali (haneef) Status: New ** Changed in: keystone Assignee: (unassigned) => Haneef Ali (haneef) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1402757 Title: Log message for token_flush is wrong Status in OpenStack Identity (Keystone): New Bug description: Token flush is done in batches. We are logging both the number of tokens that are deleted in a batch and total number of tokens deleted. But the log message logs total tokens flushed in both the places To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1402757/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1394730] [NEW] Keystone should not allow creation multiple service with same type
Public bug reported: In service table only "ID" is primary not type. (i.e) I can create two service of type "compute". Assume if I do so, then horizon and other services clients will throw exception since they don't know which service to pick it up. Best to way to avoid this, is to not allow creation of two service with same type. Note: In order to support differnt version, services use differnt type. e.g Nova creates service of type "compute" and "computev3" This is related to https://bugs.launchpad.net/bugs/1369401 which is closed as "won't fix" ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1394730 Title: Keystone should not allow creation multiple service with same type Status in OpenStack Identity (Keystone): New Bug description: In service table only "ID" is primary not type. (i.e) I can create two service of type "compute". Assume if I do so, then horizon and other services clients will throw exception since they don't know which service to pick it up. Best to way to avoid this, is to not allow creation of two service with same type. Note: In order to support differnt version, services use differnt type. e.g Nova creates service of type "compute" and "computev3" This is related to https://bugs.launchpad.net/bugs/1369401 which is closed as "won't fix" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1394730/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1387379] [NEW] List users and List project raises 401 for admin users if you enable multi domain configuration
Public bug reported: Steps to reproduce 1) Enable domain specifc dirvers for identity domain_specific_drivers_enabled = True 2) Add domain specific configuration files 3) Either get a token which as admin priveillage or ADMIN token configured in keystone.conf 4) Use the token to go GET v3/users and GET /v3/groups Both of them raises 401 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1387379 Title: List users and List project raises 401 for admin users if you enable multi domain configuration Status in OpenStack Identity (Keystone): New Bug description: Steps to reproduce 1) Enable domain specifc dirvers for identity domain_specific_drivers_enabled = True 2) Add domain specific configuration files 3) Either get a token which as admin priveillage or ADMIN token configured in keystone.conf 4) Use the token to go GET v3/users and GET /v3/groups Both of them raises 401 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1387379/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1386810] [NEW] Keystone should not create a queue. Or it should empty the queue
Public bug reported: If you enable "messaging" keystone creates a queue "notificaiton.info" and sends a message with the routing key "notification.info" to the queue. As per rabbitmq, producer sends a message to an "Exchange" and Consumer creates a queue and attaches to the exchange to receve the message. Producer never creates a queue unless it follows RPC semantics to get a response. Also keystone clients notificaiton consumption pattern is different from other services such as nova. Keystone consumers needs exclusive access to the queue. Consider the followign scenario where "glance" , "nova" is interrested in "project.deleted" event. Case 1: Consumer doesn't create a queue instead takes the message from "notificaiton.info" queue created by keystone 1) If glance picks up the "project.deleted" event, then the message is lost. Nova can't get that message since the queue is not exclusive. Basically only one consumer can get the message if they connect to "notification.info" queue Case 2: Consumer creates "exclusive" queue and attaches to the exchanges 1) Glance creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 2) Nova creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 3) Since the queues are exclusive, each will get "project.deleted" event. 4) This is the general consumtion pattern for "topic" exchange 5) But no one is emptying the message from "notification.info" queue that is created by "keystone". It will keep on accumulating. So there are 2 ways to fix it. EIther don't create a queue or add an listener which empties the queue. Oslo by default creates a queue which is applicable to nova but not to keystone. https://github.com/openstack/oslo.messaging/blob/master/oslo/messaging/_drivers/impl_rabbit.py#L411 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1386810 Title: Keystone should not create a queue. Or it should empty the queue Status in OpenStack Identity (Keystone): New Bug description: If you enable "messaging" keystone creates a queue "notificaiton.info" and sends a message with the routing key "notification.info" to the queue. As per rabbitmq, producer sends a message to an "Exchange" and Consumer creates a queue and attaches to the exchange to receve the message. Producer never creates a queue unless it follows RPC semantics to get a response. Also keystone clients notificaiton consumption pattern is different from other services such as nova. Keystone consumers needs exclusive access to the queue. Consider the followign scenario where "glance" , "nova" is interrested in "project.deleted" event. Case 1: Consumer doesn't create a queue instead takes the message from "notificaiton.info" queue created by keystone 1) If glance picks up the "project.deleted" event, then the message is lost. Nova can't get that message since the queue is not exclusive. Basically only one consumer can get the message if they connect to "notification.info" queue Case 2: Consumer creates "exclusive" queue and attaches to the exchanges 1) Glance creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 2) Nova creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 3) Since the queues are exclusive, each will get "project.deleted" event. 4) This is the general consumtion pattern for "topic" exchange 5) But no one is emptying the message from "notification.info" queue that is created by "keystone". It will keep on accumulating. So there are 2 ways to fix it. EIther don't create a queue or add an listener which empties the queue. Oslo by default creates a queue which is applicable to nova but not to keystone. https://github.com/openstack/oslo.messaging/blob/master/oslo/messaging/_drivers/impl_rabbit.py#L411 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1386810/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1384457] [NEW] Self value in Link is wrong in GET /OS-REVOKE/events
Public bug reported: There are 2 events in the path # curl -k -H "X-Auth-Token:SomeToken" http://localhost:35357/v3/OS-REVOKE/events | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 304 100 3040 0313 0 --:--:-- --:--:-- --:--:-- 313 { "events": [ { "issued_before": "2014-10-22T20:26:14.00Z", "project_id": "f5590b050dc14795b5e8447a223bd696" }, { "audit_id": "cAV3qiytQkuzpANJ3CPFRg", "issued_before": "2014-10-22T20:29:44.00Z" } ], "links": { "next": null, "previous": null, "self": "http://localhost:35357/v3/OS-REVOKE/events/events"; } } ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1384457 Title: Self value in Link is wrong in GET /OS-REVOKE/events Status in OpenStack Identity (Keystone): New Bug description: There are 2 events in the path # curl -k -H "X-Auth-Token:SomeToken" http://localhost:35357/v3/OS-REVOKE/events | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 304 100 3040 0313 0 --:--:-- --:--:-- --:--:-- 313 { "events": [ { "issued_before": "2014-10-22T20:26:14.00Z", "project_id": "f5590b050dc14795b5e8447a223bd696" }, { "audit_id": "cAV3qiytQkuzpANJ3CPFRg", "issued_before": "2014-10-22T20:29:44.00Z" } ], "links": { "next": null, "previous": null, "self": "http://localhost:35357/v3/OS-REVOKE/events/events"; } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1384457/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1383924] [NEW] keystone notification should use different topic for CADF and normal notificaiton
Public bug reported: Keystone uses same topic for both normal notificaiton and audit. Ideally both should be in different topic. Both has different security/persistence requirement ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1383924 Title: keystone notification should use different topic for CADF and normal notificaiton Status in OpenStack Identity (Keystone): New Bug description: Keystone uses same topic for both normal notificaiton and audit. Ideally both should be in different topic. Both has different security/persistence requirement To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1383924/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1378532] [NEW] Keystone token date format is inconsistent
Public bug reported: issued_at field is only in v3, but v2 token response has issued_at. This is not a major issue. But the format of the date is inconsistent "token": { "expires": "2014-10-08T00:51:35Z", "id": "a94eec3993a74bf4b26f91bd485f3b6d", "issued_at": "2014-10-07T20:51:36.005469", ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1378532 Title: Keystone token date format is inconsistent Status in OpenStack Identity (Keystone): New Bug description: issued_at field is only in v3, but v2 token response has issued_at. This is not a major issue. But the format of the date is inconsistent "token": { "expires": "2014-10-08T00:51:35Z", "id": "a94eec3993a74bf4b26f91bd485f3b6d", "issued_at": "2014-10-07T20:51:36.005469", To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1378532/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1378036] [NEW] Keystone unit tests should use domain scoped token
Public bug reported: Keystone is moving towards v3. Identity operations are supposed to use domain scoped token and all the services are supposed to use tenant scoped token. The concept of domain_admin will work only if you use domain scoped token. Most of l the keystone unit tests use v3 tokens. But those v3 tokens are "project scoped". It should have been domain scoped. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1378036 Title: Keystone unit tests should use domain scoped token Status in OpenStack Identity (Keystone): New Bug description: Keystone is moving towards v3. Identity operations are supposed to use domain scoped token and all the services are supposed to use tenant scoped token. The concept of domain_admin will work only if you use domain scoped token. Most of l the keystone unit tests use v3 tokens. But those v3 tokens are "project scoped". It should have been domain scoped. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1378036/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1374045] [NEW] Add v3 endpoint for identity in catalog
Public bug reported: This is a wish list. Since we are moving to v3, it is better to add v3 endpoint in sample_data.sh. We still have only v2.0 endpoint.I don't think keystoenclient will be affected since it doesn't use the endpoint from catalog, but relies on version discovery ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1374045 Title: Add v3 endpoint for identity in catalog Status in OpenStack Identity (Keystone): New Bug description: This is a wish list. Since we are moving to v3, it is better to add v3 endpoint in sample_data.sh. We still have only v2.0 endpoint.I don't think keystoenclient will be affected since it doesn't use the endpoint from catalog, but relies on version discovery To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1374045/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361758] [NEW] Keystone should bootstrap CONF.member_role_name
Public bug reported: Keystone should bootstrap CONF.member_role_name. As of now , it is created on first create_user call . In case of LDAP backend there is no create_user call, so we will be missing this role. Horizon will not work without this role. Just like "default" domain, we should also bootstrap CONF.member_role_name via keystone-manage db-synch. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361758 Title: Keystone should bootstrap CONF.member_role_name Status in OpenStack Identity (Keystone): New Bug description: Keystone should bootstrap CONF.member_role_name. As of now , it is created on first create_user call . In case of LDAP backend there is no create_user call, so we will be missing this role. Horizon will not work without this role. Just like "default" domain, we should also bootstrap CONF.member_role_name via keystone-manage db-synch. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361758/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361307] [NEW] Please port Certificate apis to V3
Public bug reported: This is a wish list We need certificates API to get the PKI certficates in the services. If we depreicate v2.0 api, it will be odd, if the services rely on v2.0 api to fetch certificates. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361307 Title: Please port Certificate apis to V3 Status in OpenStack Identity (Keystone): New Bug description: This is a wish list We need certificates API to get the PKI certficates in the services. If we depreicate v2.0 api, it will be odd, if the services rely on v2.0 api to fetch certificates. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361307/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361306] [NEW] Keysttone doesn't handle user_attribute_id mapping
Public bug reported: By default keystone gets the id from first field of DN. It doesn't use user_id_attibute mapping from keystone.conf In the following code, "id" attribute is always 1 element in DN ---Relevent code--- @staticmethod def _dn_to_id(dn): return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1]) def _ldap_res_to_model(self, res): obj = self.model(id=self._dn_to_id(res[0])) # LDAP attribute names may be returned in a different case than # they are defined in the mapping, so we need to check for keys # in a case-insensitive way. We use the case specified in the # mapping for the model to ensure we have a predictable way of # retrieving values later. lower_res = dict((k.lower(), v) for k, v in six.iteritems(res[1])) for k in obj.known_keys: if k in self.attribute_ignore: continue try: v = lower_res[self.attribute_mapping.get(k, k).lower()] except KeyError: pass else: try: obj[k] = v[0] except IndexError: obj[k] = None return obj ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361306 Title: Keysttone doesn't handle user_attribute_id mapping Status in OpenStack Identity (Keystone): New Bug description: By default keystone gets the id from first field of DN. It doesn't use user_id_attibute mapping from keystone.conf In the following code, "id" attribute is always 1 element in DN ---Relevent code--- @staticmethod def _dn_to_id(dn): return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1]) def _ldap_res_to_model(self, res): obj = self.model(id=self._dn_to_id(res[0])) # LDAP attribute names may be returned in a different case than # they are defined in the mapping, so we need to check for keys # in a case-insensitive way. We use the case specified in the # mapping for the model to ensure we have a predictable way of # retrieving values later. lower_res = dict((k.lower(), v) for k, v in six.iteritems(res[1])) for k in obj.known_keys: if k in self.attribute_ignore: continue try: v = lower_res[self.attribute_mapping.get(k, k).lower()] except KeyError: pass else: try: obj[k] = v[0] except IndexError: obj[k] = None return obj To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361306/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1332666] [NEW] Kesytone token poor performance. Need index on user_id
Public bug reported: Keystone middleware calls GET /v2.0/revoked every 10 sec which generates a query simar to SELECT token.id AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id FROM token WHERE token.valid = 1 AND token.expires > '2014-06-19 23:18:48.196884' AND token.user_id = 'f6d9db238d084998aaef92ce425edff0'; This query most of the time uses the index "idx_token_expires" which results in too many rows.Some times depending on the load using this index matches more than 5 rows in our performance run which is as good as full table scan. As all the quries use "user_id" in where clause, the above query can be optimzed by adding index on user_id. The same performance run after adding the index on user_id doesn't show any degradation. Can you please consider adding this in upstream? ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1332666 Title: Kesytone token poor performance. Need index on user_id Status in OpenStack Identity (Keystone): New Bug description: Keystone middleware calls GET /v2.0/revoked every 10 sec which generates a query simar to SELECT token.id AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id FROM token WHERE token.valid = 1 AND token.expires > '2014-06-19 23:18:48.196884' AND token.user_id = 'f6d9db238d084998aaef92ce425edff0'; This query most of the time uses the index "idx_token_expires" which results in too many rows.Some times depending on the load using this index matches more than 5 rows in our performance run which is as good as full table scan. As all the quries use "user_id" in where clause, the above query can be optimzed by adding index on user_id. The same performance run after adding the index on user_id doesn't show any degradation. Can you please consider adding this in upstream? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1332666/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1329864] [NEW] Owner role is broken in default v2 policy file
Public bug reported: In v2 policy.json owner is defined as "owner" : "user_id:%(user_id)s", It should be "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", Affected APIs, Using default v2 policy file a user can't delete his own token due to this defect ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1329864 Title: Owner role is broken in default v2 policy file Status in OpenStack Identity (Keystone): New Bug description: In v2 policy.json owner is defined as "owner" : "user_id:%(user_id)s", It should be "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", Affected APIs, Using default v2 policy file a user can't delete his own token due to this defect To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1329864/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1306835] [NEW] V3 list users filter by email address throws exception
Public bug reported: V3 list_user filter by email throws excpetion. There is no such attribute email. keystone.common.wsgi): 2014-04-11 23:09:00,422 ERROR type object 'User' has no attribute 'email' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 206, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 183, in wrapper return f(self, context, filters, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 284, in list_users hints=hints) File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 328, in list_users ref_list = driver.list_users(hints or driver_hints.Hints()) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 227, in wrapper return f(self, hints, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 132, in list_users user_refs = sql.filter_limit_query(User, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 374, in filter_limit_query query = _filter(model, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 326, in _filter filter_dict = exact_filter(model, filter_, filter_dict, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 312, in exact_filter if isinstance(getattr(model, key).property.columns[0].type, AttributeError: type object 'User' has no attribute 'email' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1306835 Title: V3 list users filter by email address throws exception Status in OpenStack Identity (Keystone): New Bug description: V3 list_user filter by email throws excpetion. There is no such attribute email. keystone.common.wsgi): 2014-04-11 23:09:00,422 ERROR type object 'User' has no attribute 'email' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 206, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 183, in wrapper return f(self, context, filters, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 284, in list_users hints=hints) File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 328, in list_users ref_list = driver.list_users(hints or driver_hints.Hints()) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 227, in wrapper return f(self, hints, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 132, in list_users user_refs = sql.filter_limit_query(User, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 374, in filter_limit_query query = _filter(model, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 326, in _filter filter_dict = exact_filter(model, filter_, filter_dict, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 312, in exact_filter if isinstance(getattr(model, key).property.columns[0].type, AttributeError: type object 'User' has no attribute 'email' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1306835/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1295212] Re: Revoke token intermittently dumps stacktrace - Icehouse M3
Looks like this is fixed now in upstream on 3/8 by Morgan ** Changed in: keystone Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1295212 Title: Revoke token intermittently dumps stacktrace - Icehouse M3 Status in OpenStack Identity (Keystone): Fix Released Bug description: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1295212/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1295212] [NEW] Revoke token intermittently dumps stacktrace - Icehouse M3
Public bug reported: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1295212 Title: Revoke token intermittently dumps stacktrace - Icehouse M3 Status in OpenStack Identity (Keystone): New Bug description: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1295212/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1294735] [NEW] Disable domain doesn't disable users in the domain
Public bug reported: If you disable a domain, the users in the domain are not disabled. ** Affects: keystone Importance: Undecided Status: New ** Summary changed: - disable domain + Disable domain doesn't disable users in the domain -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1294735 Title: Disable domain doesn't disable users in the domain Status in OpenStack Identity (Keystone): New Bug description: If you disable a domain, the users in the domain are not disabled. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1294735/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1294737] [NEW] Disable domain doesn't remove domain scoped tokens
Public bug reported: Disable domain only revokes project scope token. It doesn't revoke domain scoped tokens ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1294737 Title: Disable domain doesn't remove domain scoped tokens Status in OpenStack Identity (Keystone): New Bug description: Disable domain only revokes project scope token. It doesn't revoke domain scoped tokens To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1294737/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1291465] [NEW] Allow user defined ids.
Public bug reported: This is a feature request We should alow user supplied domain_id/user_id. There are some policy defintions in policy.v2.cloudadmin.json which relies on user being on particular domain. We really don't want to have UUID in policy files to identify the domain_id. One way to achive this to bootstrap the entries via raw sql. It will be better if we allow the same to be achieved via REST api. So basically the ids' are given by the caller, If the caller doesn't send the id then generate UUID ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1291465 Title: Allow user defined ids. Status in OpenStack Identity (Keystone): New Bug description: This is a feature request We should alow user supplied domain_id/user_id. There are some policy defintions in policy.v2.cloudadmin.json which relies on user being on particular domain. We really don't want to have UUID in policy files to identify the domain_id. One way to achive this to bootstrap the entries via raw sql. It will be better if we allow the same to be achieved via REST api. So basically the ids' are given by the caller, If the caller doesn't send the id then generate UUID To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1291465/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1287414] [NEW] Keystone should not require CA key
Public bug reported: Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key. Basically the code should work without CA key. I believe it is not required for ssl setup and signing. [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1287414 Title: Keystone should not require CA key Status in OpenStack Identity (Keystone): New Bug description: Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key. Basically the code should work without CA key. I believe it is not required for ssl setup and signing. [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1287414/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1284895] [NEW] GET v3/roles/{role_id}/users Lists users with a specified role.
Public bug reported: This api is in the doc, but not in code ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1284895 Title: GET v3/roles/{role_id}/users Lists users with a specified role. Status in OpenStack Identity (Keystone): New Bug description: This api is in the doc, but not in code To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1284895/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1282752] [NEW] Dogpile cache in catalog driver
Public bug reported: Actually this is a wishlist. We have caching in assignment and token. It will be really helpful if we have caching in catalog as this is mostly static data. This will greatly improve create token performance. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1282752 Title: Dogpile cache in catalog driver Status in OpenStack Identity (Keystone): New Bug description: Actually this is a wishlist. We have caching in assignment and token. It will be really helpful if we have caching in catalog as this is mostly static data. This will greatly improve create token performance. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1282752/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1282391] [NEW] Delete domain fails if the domain has domain grants
Public bug reported: UserDomainGrant and GroupDomainGrant has foriegn key relation with domains. So we can't delete a domain unless we remove the grants. On deletedomain we need to -- Delete users -- Delete groups -- Delete projects which should take care of removal of foreign key relations ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1282391 Title: Delete domain fails if the domain has domain grants Status in OpenStack Identity (Keystone): New Bug description: UserDomainGrant and GroupDomainGrant has foriegn key relation with domains. So we can't delete a domain unless we remove the grants. On deletedomain we need to -- Delete users -- Delete groups -- Delete projects which should take care of removal of foreign key relations To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1282391/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp