[Yahoo-eng-team] [Bug 1536300] [NEW] Catalog response is inconsistent for domain scoped token
Public bug reported: Some of the endpoints include tenant information and if we use domain scoped token there is no tenant information. So the catalog doesn't have any entry for those services for domain scoped token which looks odd Since domain scoped token is used only by identity, the better apprach would be to include just identity catalog for domain scoped token. e.g Given below is the current response for domain scoped token. What is heat service's endpoint from this response? | heat | orchestration | | | nova | compute | | | cinder | volume| | || | internal: http://10.240.20.2:9090 | || | region1 | || | public: https://myhelion.test:9090 | || | region1 | || | admin: http://10.240.20.2:9090 | | ceilometer | metering | region1 | || | internal: http://10.240.20.2:8777/ | || | region1 | || | admin: http://10.240.20.2:8777/| || | region1 | || | public: https://myhelion.test:8777/| || | | | glance | image | region1 | || | public: https://myhelion.test:9292 | || | region1 | || | internal: http://10.240.20.2:9292 | || | region1 | || | admin: http://10.240.20.2:9292 | || | | ** Affects: keystone Importance: Undecided Status: New ** Description changed: Some of the endpoints include tenant information and if we use domain scoped token there is no tenant information. So the catalog doesn't have any entry for those services for domain scoped token which looks odd - - Since domain scoped token is used only by identity, the better apprach would be to include just identity catalog for domain scoped token. + Since domain scoped token is used only by identity, the better apprach + would be to include just identity catalog for domain scoped token. e.g Given below is the current response for domain scoped token. What is heat service's endpoint from this response? | heat | orchestration | | | nova | compute | | | cinder | volume| | || | internal: http://10.240.20.2:9090 | || | region1 | || | public: https://myhelion.test:9090 | || | region1 | || | admin: http://10.240.20.2:9090 | | ceilometer | metering | region1 | || | internal: http://10.240.20.2:8777/ | || | region1 | || | admin: http://10.240.20.2:8777/| || | region1 | || | public: https://myhelion.test:8777/| || | | | glance | image | region1 | || | public: https://myhelion.test:9292 | || | region1 | || | internal: http://10.240.20.2:9292 | || | region1 | || | admin: http://10.240.20.2:9292 | || | | -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1536300 Title: Catalog response is inconsistent for domain scoped token Status in OpenStack Identity (k
[Yahoo-eng-team] [Bug 1528661] [NEW] Create region throws schema validation error for empty region
Public bug reported:
{
" region" : {}
}
This is a valid request in kilo. But this no longer works in liberty.
Liberty is throwing "index_out_of_range" error which is re thrown as
schema validation error.
https://github.com/openstack/keystone/blob/master/keystone/common/validation/__init__.py#L56
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1528661
Title:
Create region throws schema validation error for empty region
Status in OpenStack Identity (keystone):
New
Bug description:
{
" region" : {}
}
This is a valid request in kilo. But this no longer works in liberty.
Liberty is throwing "index_out_of_range" error which is re thrown as
schema validation error.
https://github.com/openstack/keystone/blob/master/keystone/common/validation/__init__.py#L56
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1528661/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1526976] [NEW] Any operation without token fails with internal server error for fernet token
Public bug reported: This bug is only for fernet token. Configure keystone to use fernet token. Call any operation without passing a X-Auth-Token. It reports 500 error. It should throw 401 e.g curl -X DELEETE $OS_AUTH_URL/v3/projects/ Haneef Ali (haneef) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1526976 Title: Any operation without token fails with internal server error for fernet token Status in OpenStack Identity (keystone): New Bug description: This bug is only for fernet token. Configure keystone to use fernet token. Call any operation without passing a X-Auth-Token. It reports 500 error. It should throw 401 e.g curl -X DELEETE $OS_AUTH_URL/v3/projects/https://bugs.launchpad.net/keystone/+bug/1526976/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1521772] [NEW] List users in a group by name throws HTTP 500 error
Public bug reported: (keystone.common.wsgi): 2015-12-01 21:53:58,603 INFO wsgi __call__ GET http://192.168.245.9:35357/v3/groups/42b6bb3bb70f487cbf9633bf55eb9ddc/users?name=admin (keystone.common.wsgi): 2015-12-01 21:53:58,610 ERROR wsgi __call__ Entity '' has no property 'name' Traceback (most recent call last): File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py", line 248, in __call__ result = method(context, **params) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/controller.py", line 207, in wrapper return f(self, context, filters, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/controllers.py", line 233, in list_users_in_group refs = self.identity_api.list_users_in_group(group_id, hints=hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/manager.py", line 58, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 433, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 444, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 1123, in list_users_in_group ref_list = driver.list_users_in_group(entity_id, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/backends/sql.py", line 226, in list_users_in_group query = sql.filter_limit_query(User, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 410, in filter_limit_query query = _filter(model, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 362, in _filter query = query.filter_by(**filter_dict) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 1345, in filter_by for key, value in kwargs.items()] File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/base.py", line 383, in _entity_descriptor (description, key) InvalidRequestError: Entity '' has no property 'name' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1521772 Title: List users in a group by name throws HTTP 500 error Status in OpenStack Identity (keystone): New Bug description: (keystone.common.wsgi): 2015-12-01 21:53:58,603 INFO wsgi __call__ GET http://192.168.245.9:35357/v3/groups/42b6bb3bb70f487cbf9633bf55eb9ddc/users?name=admin (keystone.common.wsgi): 2015-12-01 21:53:58,610 ERROR wsgi __call__ Entity '' has no property 'name' Traceback (most recent call last): File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py", line 248, in __call__ result = method(context, **params) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/controller.py", line 207, in wrapper return f(self, context, filters, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/controllers.py", line 233, in list_users_in_group refs = self.identity_api.list_users_in_group(group_id, hints=hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/manager.py", line 58, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 433, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 444, in wrapper return f(self, *args, **kwargs) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/core.py", line 1123, in list_users_in_group ref_list = driver.list_users_in_group(entity_id, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/identity/backends/sql.py", line 226, in list_users_in_group query = sql.filter_limit_query(User, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 410, in filter_limit_query query = _filter(model, query, hints) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/sql/core.py", line 362, in _filter query = query.filter_by(**filter_dict) File "/opt/stack/service/keystone/venv/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 1345, in filt
[Yahoo-eng-team] [Bug 1499555] [NEW] You can crash keystone or make the DB very slow by assigning many roles
Public bug reported: This is applicable for UUID and PKI tokens. Token table has extra column where we store role information. It is a blob with 64K limit Basically we can do the following Say user is U, and Project is P for i =1 to 1000 ( or any large number) role x = create role i with some large name assign role x for user U and Project P create a project scoped token for user U ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1499555 Title: You can crash keystone or make the DB very slow by assigning many roles Status in Keystone: New Bug description: This is applicable for UUID and PKI tokens. Token table has extra column where we store role information. It is a blob with 64K limit Basically we can do the following Say user is U, and Project is P for i =1 to 1000 ( or any large number) role x = create role i with some large name assign role x for user U and Project P create a project scoped token for user U To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1499555/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1485035] [NEW] cadf payload doesn't have initiator for v2 calls
Public bug reported: CADF payload doesn't have initiator for any of the v2 calls. e.g 1) v2 update user 2) This internally calls identity_driver.update_user without imitator argument which is a default argument initialized to None 3) If we call v3 update user, then we pass initiator. So cadf payload for v3 has initiator ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1485035 Title: cadf payload doesn't have initiator for v2 calls Status in Keystone: New Bug description: CADF payload doesn't have initiator for any of the v2 calls. e.g 1) v2 update user 2) This internally calls identity_driver.update_user without imitator argument which is a default argument initialized to None 3) If we call v3 update user, then we pass initiator. So cadf payload for v3 has initiator To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1485035/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1483860] [NEW] Keystone version discovery is broken if you configure admin_endpoint and public_endpoint in conf file
Public bug reported:
Keystone version discovery is broken if you configure admin_endpoint
and public_endpoint in conf file. Version discovery is supposed to
return the configured endpoint, but it will always return "admin"
endpoint. This bug is in Juno/Kilo/master. This is only applicable for
v3
In master
--
Please have a look at
https://github.com/openstack/keystone/blob/master/keystone/service.py#L130
V3 doesn't have public and admin factories. There is only one factory
and we are installing only Version("public"), so it is always going to
return public_endpoint configured in conf file
Juno
--
In juno it is bit different
https://github.com/openstack/keystone/blob/stable/juno/keystone/service.py#L114
We are installing both "Version(Public") and Version("Admin") at /v3.
First will take prcedence and here we will always get "admin" endpoint.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483860
Title:
Keystone version discovery is broken if you configure admin_endpoint
and public_endpoint in conf file
Status in Keystone:
New
Bug description:
Keystone version discovery is broken if you configure admin_endpoint
and public_endpoint in conf file. Version discovery is supposed to
return the configured endpoint, but it will always return "admin"
endpoint. This bug is in Juno/Kilo/master. This is only applicable
for v3
In master
--
Please have a look at
https://github.com/openstack/keystone/blob/master/keystone/service.py#L130
V3 doesn't have public and admin factories. There is only one factory
and we are installing only Version("public"), so it is always going
to return public_endpoint configured in conf file
Juno
--
In juno it is bit different
https://github.com/openstack/keystone/blob/stable/juno/keystone/service.py#L114
We are installing both "Version(Public") and Version("Admin") at /v3.
First will take prcedence and here we will always get "admin"
endpoint.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1483860/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1441733] [NEW] pip install or python setup.py install should include httpd/keystone.py
Public bug reported: Now the recommended way to install keystone is via apache. But httpd/keystone.py is not included when we do python setup.py install in keystone. It should be included ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1441733 Title: pip install or python setup.py install should include httpd/keystone.py Status in OpenStack Identity (Keystone): New Bug description: Now the recommended way to install keystone is via apache. But httpd/keystone.py is not included when we do python setup.py install in keystone. It should be included To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1441733/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1436141] Re: Federation get unscoped token from assertion throws : ERROR tuple index out of range
The exception doesn't haappen with new mapping
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1436141
Title:
Federation get unscoped token from assertion throws : ERROR tuple
index out of range
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
Relevant line in the code
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L158
Relevant logs
keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
process rules: [{u'remote': [{u'type': u'openstack_user', u'any_one_of':
[u'user1', u'admin']}], u'local': [{u'user': {u'name': u'{0}'}}, {u'group':
{u'id': u'a9b7c29b5e2d4094a66e240d2827c622'}}]}]
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'user': {u'name': u'{0}'}}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'name': u'{0}'}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
__getitem__ []
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,921 DEBUG utils
__getitem__ 0
(keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR wsgi __call__ tuple
index out of range
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
239, in __call__
result = method(context, **params)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py",
line 267, in federated_authentication
return self.authenticate_for_token(context, auth=auth)
File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py",
line 377, in authenticate_for_token
self.authenticate(context, auth_info, auth_context)
File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py",
line 502, in authenticate
auth_context)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
70, in authenticate
self.identity_api)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
144, in handle_unscoped_token
federation_api, identity_api)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
193, in apply_mapping_filter
mapped_properties = rule_processor.process(assertion)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 453, in process
new_local = self._update_local_mapping(local, direct_maps)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 595, in _update_local_mapping
new_value = self._update_local_mapping(v, direct_maps)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 597, in _update_local_mapping
new_value = v.format(*direct_maps)
IndexError: tuple index out of range
(keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR tuple index out of range
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1436141/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1436141] [NEW] Federation get unscoped token from assertion throws : ERROR tuple index out of range
Public bug reported:
Relevant line in the code
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L158
Relevant logs
keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils process
rules: [{u'remote': [{u'type': u'openstack_user', u'any_one_of': [u'user1',
u'admin']}], u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'id':
u'a9b7c29b5e2d4094a66e240d2827c622'}}]}]
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'user': {u'name': u'{0}'}}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'name': u'{0}'}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
__getitem__ []
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,921 DEBUG utils
__getitem__ 0
(keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR wsgi __call__ tuple index
out of range
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
239, in __call__
result = method(context, **params)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py",
line 267, in federated_authentication
return self.authenticate_for_token(context, auth=auth)
File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py",
line 377, in authenticate_for_token
self.authenticate(context, auth_info, auth_context)
File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py",
line 502, in authenticate
auth_context)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
70, in authenticate
self.identity_api)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
144, in handle_unscoped_token
federation_api, identity_api)
File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
193, in apply_mapping_filter
mapped_properties = rule_processor.process(assertion)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 453, in process
new_local = self._update_local_mapping(local, direct_maps)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 595, in _update_local_mapping
new_value = self._update_local_mapping(v, direct_maps)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/utils.py",
line 597, in _update_local_mapping
new_value = v.format(*direct_maps)
IndexError: tuple index out of range
(keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR tuple index out of range
** Affects: keystone
Importance: Undecided
Status: New
** Summary changed:
- Federation get unscoped token from assertion throws
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'user': {u'name': u'{0}'}}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping direct_maps:
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
_update_local_mapping local: {u'name': u'{0}'}
(keystone.contrib.federation.utils): 2015-03-25 02:40:06,920 DEBUG utils
__getitem__ [] (keystone.contrib.federation.utils): 2015-03-25 02:40:06,921
DEBUG utils __getitem__ 0 (keystone.common.wsgi): 2015-03-25 02:40:06,922 ERROR
wsgi __call__ tuple index out of range Traceback (most recent call last):
File "/usr/local/lib/python2
.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__ result =
method(context, **params) File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py",
line 267, in federated_authentication return
self.authenticate_for_token(context, auth=auth) File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line
377, in authenticate_for_token self.authenticate(context, auth_info,
auth_context) File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line
502, in authenticate auth_context) File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
70, in authenticate self.identity_api) File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
144, in handle_unscoped_token federation_api, identity_api) File
"/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/mapped.py", line
193, in apply_mapping_filter mapped_propert
ies = rule_processor.process(assertion) File
"/usr/local/lib/python2.7/dist-packages/keystone/
[Yahoo-eng-team] [Bug 1431669] [NEW] Create saml assertion doesn't work with fernet token
Public bug reported:
TypeError: token must be bytes.
(keystone.common.wsgi): 2015-03-13 03:04:16,968 ERROR token must be bytes.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
238, in __call__
result = method(context, **params)
File
"/usr/local/lib/python2.7/dist-packages/keystone/common/validation/__init__.py",
line 36, in wrapper
return func(*args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py",
line 328, in create_saml_assertion
token_data = self.token_provider_api.validate_token(token_id)
File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py",
line 196, in validate_token
token = self._validate_token(unique_id)
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
1040, in decorate
should_cache_fn)
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
651, in get_or_create
async_creator) as value:
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
158, in __enter__
return self._enter()
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
98, in _enter
generated = self._enter_create(createdtime)
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
149, in _enter_create
created = self.creator()
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
619, in gen_value
created_value = creator()
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
1036, in creator
return fn(*arg, **kw)
File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py",
line 257, in _validate_token
return self.driver.validate_v3_token(token_id)
File
"/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py",
line 150, in validate_v3_token
token_formatter.validate_token(token_str))
File
"/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py",
line 223, in validate_token
payload = self.unpack(token_string)
File
"/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py",
line 125, in unpack
decrypted_token = self.crypto.decrypt(token_string)
File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line
138, in decrypt
return f.decrypt(msg, ttl)
File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line
75, in decrypt
raise TypeError("token must be bytes.")
TypeError: token must be bytes.
** Affects: keystone
Importance: Undecided
Status: New
** Tags: fernet
** Tags added: fernet
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1431669
Title:
Create saml assertion doesn't work with fernet token
Status in OpenStack Identity (Keystone):
New
Bug description:
TypeError: token must be bytes.
(keystone.common.wsgi): 2015-03-13 03:04:16,968 ERROR token must be bytes.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
238, in __call__
result = method(context, **params)
File
"/usr/local/lib/python2.7/dist-packages/keystone/common/validation/__init__.py",
line 36, in wrapper
return func(*args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/keystone/contrib/federation/controllers.py",
line 328, in create_saml_assertion
token_data = self.token_provider_api.validate_token(token_id)
File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py",
line 196, in validate_token
token = self._validate_token(unique_id)
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
1040, in decorate
should_cache_fn)
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
651, in get_or_create
async_creator) as value:
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
158, in __enter__
return self._enter()
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
98, in _enter
generated = self._enter_create(createdtime)
File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line
149, in _enter_create
created = self.creator()
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
619, in gen_value
created_value = creator()
File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line
1036, in creator
return fn(*arg, **kw)
File "/usr/local/lib/python2.7/dist-packages/keystone/token/provider.py",
line 257, in _validate_token
return self.driver.validate_v3_token(token_id)
File
"/usr/local/lib/python2.7/dist-packages/keystone/token/providers/fernet/
[Yahoo-eng-team] [Bug 1430951] [NEW] Revocation causes duplicate events in revocation table
Public bug reported: Revoke a project scoped token You see 3 entries in revocation_event table 1) (id, user_id, project_id, role_id, issued_before) 2) (id, user_id,, issued_before) 3) (id, user_id,, issued_before) 2 & 3 are redundant. Definitely 3) is redundant as it is same as 2) BTW, this from master branch as of 3/11/2015 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1430951 Title: Revocation causes duplicate events in revocation table Status in OpenStack Identity (Keystone): New Bug description: Revoke a project scoped token You see 3 entries in revocation_event table 1) (id, user_id, project_id, role_id, issued_before) 2) (id, user_id,, issued_before) 3) (id, user_id,, issued_before) 2 & 3 are redundant. Definitely 3) is redundant as it is same as 2) BTW, this from master branch as of 3/11/2015 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1430951/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1430433] [NEW] Fernet token validation doesn't return catalog and role information for domain scoped tokens
Public bug reported:
root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H
"X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 292 100 2920 0154 0 0:00:01 0:00:01 --:--:-- 154
{
"token": {
"audit_ids": [
"c5zfY85bTrm_q8pAy2hk-A"
],
"expires_at": "2015-03-14T20:44:40Z",
"extras": {},
"issued_at": "2015-03-10T16:44:40Z",
"methods": [
"password",
"token"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "ad89796c89e7422bb8b9f1bbf9d84bf6",
"name": "admin"
}
}
}
root@4d4627c10662:/etc/keystone#
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1430433
Title:
Fernet token validation doesn't return catalog and role information
for domain scoped tokens
Status in OpenStack Identity (Keystone):
New
Bug description:
root@4d4627c10662:/etc/keystone# curl -k -H "X-Auth-Token:ADMIN" -H
"X-Subject-Token:$d" http://localhost:35357/v3/auth/tokens | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 292 100 2920 0154 0 0:00:01 0:00:01 --:--:-- 154
{
"token": {
"audit_ids": [
"c5zfY85bTrm_q8pAy2hk-A"
],
"expires_at": "2015-03-14T20:44:40Z",
"extras": {},
"issued_at": "2015-03-10T16:44:40Z",
"methods": [
"password",
"token"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "ad89796c89e7422bb8b9f1bbf9d84bf6",
"name": "admin"
}
}
}
root@4d4627c10662:/etc/keystone#
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1430433/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1430062] [NEW] Fernet token response has wrong methods
Public bug reported:
If you validate fernet token, the token response has 2 methods. Since
the token is obtained using the "password" method, the response should
only have "password" method
ex - token response
"expires_at": "2015-03-14T03:06:39Z",
"extras": {},
"issued_at": "2015-03-09T23:06:39Z",
"methods": [
"password",
"token"
],
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1430062
Title:
Fernet token response has wrong methods
Status in OpenStack Identity (Keystone):
New
Bug description:
If you validate fernet token, the token response has 2 methods. Since
the token is obtained using the "password" method, the response
should only have "password" method
ex - token response
"expires_at": "2015-03-14T03:06:39Z",
"extras": {},
"issued_at": "2015-03-09T23:06:39Z",
"methods": [
"password",
"token"
],
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1430062/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1418678] [NEW] Most of the keystone calls generate exception in dogpile when caching is disabled
Public bug reported:
Eventhough dogpile caching is disabled, most of the calls generate the
following three lines
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-]
NeedRegenerationException _enter
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:94
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] no value, waiting
for create lock _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:127
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] value creation
lock acquired
_enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:131
2015-02-03 15:17:13.042 30043 DEBUG dogpile.core.dogpile [-] Calling creation
function _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:148
2015-02-03 15:17:13.048 30043 DEBUG dogpile.core.dogpile [-] Released creation
lock _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:154
Worrying aspect in this log is "NeedRegenerationException"
Related code fragment from doppile is ---
def _enter(self):
value_fn = self.value_and_created_fn
try:
value = value_fn()
value, createdtime = value
except NeedRegenerationException:
log.debug("NeedRegenerationException")
value = NOT_REGENERATED
createdtime = -1
This is obvious exception , it is throwing error since caching is
disabled and there is no key.
Is there a way to bypass this code when caching is disabled? This can
very well be a performance problem as this exception is generated for
almost every call .
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1418678
Title:
Most of the keystone calls generate exception in dogpile when caching
is disabled
Status in OpenStack Identity (Keystone):
New
Bug description:
Eventhough dogpile caching is disabled, most of the calls generate
the following three lines
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-]
NeedRegenerationException _enter
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:94
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] no value,
waiting for create lock _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:127
2015-02-03 15:17:13.041 30043 DEBUG dogpile.core.dogpile [-] value creation
lock acquired
_enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:131
2015-02-03 15:17:13.042 30043 DEBUG dogpile.core.dogpile [-] Calling creation
function _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:148
2015-02-03 15:17:13.048 30043 DEBUG dogpile.core.dogpile [-] Released
creation lock _enter_create
/opt/stack/venvs/openstack/lib/python2.7/site-packages/dogpile/core/dogpile.py:154
Worrying aspect in this log is "NeedRegenerationException"
Related code fragment from doppile is ---
def _enter(self):
value_fn = self.value_and_created_fn
try:
value = value_fn()
value, createdtime = value
except NeedRegenerationException:
log.debug("NeedRegenerationException")
value = NOT_REGENERATED
createdtime = -1
This is obvious exception , it is throwing error since caching is
disabled and there is no key.
Is there a way to bypass this code when caching is disabled? This can
very well be a performance problem as this exception is generated for
almost every call .
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1418678/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1402757] [NEW] Log message for token_flush is wrong
Public bug reported: Token flush is done in batches. We are logging both the number of tokens that are deleted in a batch and total number of tokens deleted. But the log message logs total tokens flushed in both the places ** Affects: keystone Importance: Undecided Assignee: Haneef Ali (haneef) Status: New ** Changed in: keystone Assignee: (unassigned) => Haneef Ali (haneef) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1402757 Title: Log message for token_flush is wrong Status in OpenStack Identity (Keystone): New Bug description: Token flush is done in batches. We are logging both the number of tokens that are deleted in a batch and total number of tokens deleted. But the log message logs total tokens flushed in both the places To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1402757/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1394730] [NEW] Keystone should not allow creation multiple service with same type
Public bug reported: In service table only "ID" is primary not type. (i.e) I can create two service of type "compute". Assume if I do so, then horizon and other services clients will throw exception since they don't know which service to pick it up. Best to way to avoid this, is to not allow creation of two service with same type. Note: In order to support differnt version, services use differnt type. e.g Nova creates service of type "compute" and "computev3" This is related to https://bugs.launchpad.net/bugs/1369401 which is closed as "won't fix" ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1394730 Title: Keystone should not allow creation multiple service with same type Status in OpenStack Identity (Keystone): New Bug description: In service table only "ID" is primary not type. (i.e) I can create two service of type "compute". Assume if I do so, then horizon and other services clients will throw exception since they don't know which service to pick it up. Best to way to avoid this, is to not allow creation of two service with same type. Note: In order to support differnt version, services use differnt type. e.g Nova creates service of type "compute" and "computev3" This is related to https://bugs.launchpad.net/bugs/1369401 which is closed as "won't fix" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1394730/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1387379] [NEW] List users and List project raises 401 for admin users if you enable multi domain configuration
Public bug reported: Steps to reproduce 1) Enable domain specifc dirvers for identity domain_specific_drivers_enabled = True 2) Add domain specific configuration files 3) Either get a token which as admin priveillage or ADMIN token configured in keystone.conf 4) Use the token to go GET v3/users and GET /v3/groups Both of them raises 401 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1387379 Title: List users and List project raises 401 for admin users if you enable multi domain configuration Status in OpenStack Identity (Keystone): New Bug description: Steps to reproduce 1) Enable domain specifc dirvers for identity domain_specific_drivers_enabled = True 2) Add domain specific configuration files 3) Either get a token which as admin priveillage or ADMIN token configured in keystone.conf 4) Use the token to go GET v3/users and GET /v3/groups Both of them raises 401 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1387379/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1386810] [NEW] Keystone should not create a queue. Or it should empty the queue
Public bug reported: If you enable "messaging" keystone creates a queue "notificaiton.info" and sends a message with the routing key "notification.info" to the queue. As per rabbitmq, producer sends a message to an "Exchange" and Consumer creates a queue and attaches to the exchange to receve the message. Producer never creates a queue unless it follows RPC semantics to get a response. Also keystone clients notificaiton consumption pattern is different from other services such as nova. Keystone consumers needs exclusive access to the queue. Consider the followign scenario where "glance" , "nova" is interrested in "project.deleted" event. Case 1: Consumer doesn't create a queue instead takes the message from "notificaiton.info" queue created by keystone 1) If glance picks up the "project.deleted" event, then the message is lost. Nova can't get that message since the queue is not exclusive. Basically only one consumer can get the message if they connect to "notification.info" queue Case 2: Consumer creates "exclusive" queue and attaches to the exchanges 1) Glance creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 2) Nova creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 3) Since the queues are exclusive, each will get "project.deleted" event. 4) This is the general consumtion pattern for "topic" exchange 5) But no one is emptying the message from "notification.info" queue that is created by "keystone". It will keep on accumulating. So there are 2 ways to fix it. EIther don't create a queue or add an listener which empties the queue. Oslo by default creates a queue which is applicable to nova but not to keystone. https://github.com/openstack/oslo.messaging/blob/master/oslo/messaging/_drivers/impl_rabbit.py#L411 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1386810 Title: Keystone should not create a queue. Or it should empty the queue Status in OpenStack Identity (Keystone): New Bug description: If you enable "messaging" keystone creates a queue "notificaiton.info" and sends a message with the routing key "notification.info" to the queue. As per rabbitmq, producer sends a message to an "Exchange" and Consumer creates a queue and attaches to the exchange to receve the message. Producer never creates a queue unless it follows RPC semantics to get a response. Also keystone clients notificaiton consumption pattern is different from other services such as nova. Keystone consumers needs exclusive access to the queue. Consider the followign scenario where "glance" , "nova" is interrested in "project.deleted" event. Case 1: Consumer doesn't create a queue instead takes the message from "notificaiton.info" queue created by keystone 1) If glance picks up the "project.deleted" event, then the message is lost. Nova can't get that message since the queue is not exclusive. Basically only one consumer can get the message if they connect to "notification.info" queue Case 2: Consumer creates "exclusive" queue and attaches to the exchanges 1) Glance creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 2) Nova creates a queue with random name and attaches to the exchange saying it is intersted in message with routing key "notification.info" 3) Since the queues are exclusive, each will get "project.deleted" event. 4) This is the general consumtion pattern for "topic" exchange 5) But no one is emptying the message from "notification.info" queue that is created by "keystone". It will keep on accumulating. So there are 2 ways to fix it. EIther don't create a queue or add an listener which empties the queue. Oslo by default creates a queue which is applicable to nova but not to keystone. https://github.com/openstack/oslo.messaging/blob/master/oslo/messaging/_drivers/impl_rabbit.py#L411 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1386810/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1384457] [NEW] Self value in Link is wrong in GET /OS-REVOKE/events
Public bug reported:
There are 2 events in the path
# curl -k -H "X-Auth-Token:SomeToken"
http://localhost:35357/v3/OS-REVOKE/events | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 304 100 3040 0313 0 --:--:-- --:--:-- --:--:-- 313
{
"events": [
{
"issued_before": "2014-10-22T20:26:14.00Z",
"project_id": "f5590b050dc14795b5e8447a223bd696"
},
{
"audit_id": "cAV3qiytQkuzpANJ3CPFRg",
"issued_before": "2014-10-22T20:29:44.00Z"
}
],
"links": {
"next": null,
"previous": null,
"self": "http://localhost:35357/v3/OS-REVOKE/events/events";
}
}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1384457
Title:
Self value in Link is wrong in GET /OS-REVOKE/events
Status in OpenStack Identity (Keystone):
New
Bug description:
There are 2 events in the path
# curl -k -H "X-Auth-Token:SomeToken"
http://localhost:35357/v3/OS-REVOKE/events | python -mjson.tool
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 304 100 3040 0313 0 --:--:-- --:--:-- --:--:-- 313
{
"events": [
{
"issued_before": "2014-10-22T20:26:14.00Z",
"project_id": "f5590b050dc14795b5e8447a223bd696"
},
{
"audit_id": "cAV3qiytQkuzpANJ3CPFRg",
"issued_before": "2014-10-22T20:29:44.00Z"
}
],
"links": {
"next": null,
"previous": null,
"self": "http://localhost:35357/v3/OS-REVOKE/events/events";
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1384457/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1383924] [NEW] keystone notification should use different topic for CADF and normal notificaiton
Public bug reported: Keystone uses same topic for both normal notificaiton and audit. Ideally both should be in different topic. Both has different security/persistence requirement ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1383924 Title: keystone notification should use different topic for CADF and normal notificaiton Status in OpenStack Identity (Keystone): New Bug description: Keystone uses same topic for both normal notificaiton and audit. Ideally both should be in different topic. Both has different security/persistence requirement To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1383924/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1378532] [NEW] Keystone token date format is inconsistent
Public bug reported:
issued_at field is only in v3, but v2 token response has issued_at. This
is not a major issue. But the format of the date is inconsistent
"token": {
"expires": "2014-10-08T00:51:35Z",
"id": "a94eec3993a74bf4b26f91bd485f3b6d",
"issued_at": "2014-10-07T20:51:36.005469",
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1378532
Title:
Keystone token date format is inconsistent
Status in OpenStack Identity (Keystone):
New
Bug description:
issued_at field is only in v3, but v2 token response has issued_at.
This is not a major issue. But the format of the date is
inconsistent
"token": {
"expires": "2014-10-08T00:51:35Z",
"id": "a94eec3993a74bf4b26f91bd485f3b6d",
"issued_at": "2014-10-07T20:51:36.005469",
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1378532/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1378036] [NEW] Keystone unit tests should use domain scoped token
Public bug reported: Keystone is moving towards v3. Identity operations are supposed to use domain scoped token and all the services are supposed to use tenant scoped token. The concept of domain_admin will work only if you use domain scoped token. Most of l the keystone unit tests use v3 tokens. But those v3 tokens are "project scoped". It should have been domain scoped. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1378036 Title: Keystone unit tests should use domain scoped token Status in OpenStack Identity (Keystone): New Bug description: Keystone is moving towards v3. Identity operations are supposed to use domain scoped token and all the services are supposed to use tenant scoped token. The concept of domain_admin will work only if you use domain scoped token. Most of l the keystone unit tests use v3 tokens. But those v3 tokens are "project scoped". It should have been domain scoped. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1378036/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1374045] [NEW] Add v3 endpoint for identity in catalog
Public bug reported: This is a wish list. Since we are moving to v3, it is better to add v3 endpoint in sample_data.sh. We still have only v2.0 endpoint.I don't think keystoenclient will be affected since it doesn't use the endpoint from catalog, but relies on version discovery ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1374045 Title: Add v3 endpoint for identity in catalog Status in OpenStack Identity (Keystone): New Bug description: This is a wish list. Since we are moving to v3, it is better to add v3 endpoint in sample_data.sh. We still have only v2.0 endpoint.I don't think keystoenclient will be affected since it doesn't use the endpoint from catalog, but relies on version discovery To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1374045/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361758] [NEW] Keystone should bootstrap CONF.member_role_name
Public bug reported: Keystone should bootstrap CONF.member_role_name. As of now , it is created on first create_user call . In case of LDAP backend there is no create_user call, so we will be missing this role. Horizon will not work without this role. Just like "default" domain, we should also bootstrap CONF.member_role_name via keystone-manage db-synch. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361758 Title: Keystone should bootstrap CONF.member_role_name Status in OpenStack Identity (Keystone): New Bug description: Keystone should bootstrap CONF.member_role_name. As of now , it is created on first create_user call . In case of LDAP backend there is no create_user call, so we will be missing this role. Horizon will not work without this role. Just like "default" domain, we should also bootstrap CONF.member_role_name via keystone-manage db-synch. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361758/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361307] [NEW] Please port Certificate apis to V3
Public bug reported: This is a wish list We need certificates API to get the PKI certficates in the services. If we depreicate v2.0 api, it will be odd, if the services rely on v2.0 api to fetch certificates. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361307 Title: Please port Certificate apis to V3 Status in OpenStack Identity (Keystone): New Bug description: This is a wish list We need certificates API to get the PKI certficates in the services. If we depreicate v2.0 api, it will be odd, if the services rely on v2.0 api to fetch certificates. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361307/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1361306] [NEW] Keysttone doesn't handle user_attribute_id mapping
Public bug reported: By default keystone gets the id from first field of DN. It doesn't use user_id_attibute mapping from keystone.conf In the following code, "id" attribute is always 1 element in DN ---Relevent code--- @staticmethod def _dn_to_id(dn): return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1]) def _ldap_res_to_model(self, res): obj = self.model(id=self._dn_to_id(res[0])) # LDAP attribute names may be returned in a different case than # they are defined in the mapping, so we need to check for keys # in a case-insensitive way. We use the case specified in the # mapping for the model to ensure we have a predictable way of # retrieving values later. lower_res = dict((k.lower(), v) for k, v in six.iteritems(res[1])) for k in obj.known_keys: if k in self.attribute_ignore: continue try: v = lower_res[self.attribute_mapping.get(k, k).lower()] except KeyError: pass else: try: obj[k] = v[0] except IndexError: obj[k] = None return obj ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1361306 Title: Keysttone doesn't handle user_attribute_id mapping Status in OpenStack Identity (Keystone): New Bug description: By default keystone gets the id from first field of DN. It doesn't use user_id_attibute mapping from keystone.conf In the following code, "id" attribute is always 1 element in DN ---Relevent code--- @staticmethod def _dn_to_id(dn): return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1]) def _ldap_res_to_model(self, res): obj = self.model(id=self._dn_to_id(res[0])) # LDAP attribute names may be returned in a different case than # they are defined in the mapping, so we need to check for keys # in a case-insensitive way. We use the case specified in the # mapping for the model to ensure we have a predictable way of # retrieving values later. lower_res = dict((k.lower(), v) for k, v in six.iteritems(res[1])) for k in obj.known_keys: if k in self.attribute_ignore: continue try: v = lower_res[self.attribute_mapping.get(k, k).lower()] except KeyError: pass else: try: obj[k] = v[0] except IndexError: obj[k] = None return obj To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1361306/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1332666] [NEW] Kesytone token poor performance. Need index on user_id
Public bug reported: Keystone middleware calls GET /v2.0/revoked every 10 sec which generates a query simar to SELECT token.id AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id FROM token WHERE token.valid = 1 AND token.expires > '2014-06-19 23:18:48.196884' AND token.user_id = 'f6d9db238d084998aaef92ce425edff0'; This query most of the time uses the index "idx_token_expires" which results in too many rows.Some times depending on the load using this index matches more than 5 rows in our performance run which is as good as full table scan. As all the quries use "user_id" in where clause, the above query can be optimzed by adding index on user_id. The same performance run after adding the index on user_id doesn't show any degradation. Can you please consider adding this in upstream? ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1332666 Title: Kesytone token poor performance. Need index on user_id Status in OpenStack Identity (Keystone): New Bug description: Keystone middleware calls GET /v2.0/revoked every 10 sec which generates a query simar to SELECT token.id AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id FROM token WHERE token.valid = 1 AND token.expires > '2014-06-19 23:18:48.196884' AND token.user_id = 'f6d9db238d084998aaef92ce425edff0'; This query most of the time uses the index "idx_token_expires" which results in too many rows.Some times depending on the load using this index matches more than 5 rows in our performance run which is as good as full table scan. As all the quries use "user_id" in where clause, the above query can be optimzed by adding index on user_id. The same performance run after adding the index on user_id doesn't show any degradation. Can you please consider adding this in upstream? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1332666/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1329864] [NEW] Owner role is broken in default v2 policy file
Public bug reported: In v2 policy.json owner is defined as "owner" : "user_id:%(user_id)s", It should be "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", Affected APIs, Using default v2 policy file a user can't delete his own token due to this defect ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1329864 Title: Owner role is broken in default v2 policy file Status in OpenStack Identity (Keystone): New Bug description: In v2 policy.json owner is defined as "owner" : "user_id:%(user_id)s", It should be "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", Affected APIs, Using default v2 policy file a user can't delete his own token due to this defect To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1329864/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1306835] [NEW] V3 list users filter by email address throws exception
Public bug reported: V3 list_user filter by email throws excpetion. There is no such attribute email. keystone.common.wsgi): 2014-04-11 23:09:00,422 ERROR type object 'User' has no attribute 'email' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 206, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 183, in wrapper return f(self, context, filters, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 284, in list_users hints=hints) File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 328, in list_users ref_list = driver.list_users(hints or driver_hints.Hints()) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 227, in wrapper return f(self, hints, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 132, in list_users user_refs = sql.filter_limit_query(User, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 374, in filter_limit_query query = _filter(model, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 326, in _filter filter_dict = exact_filter(model, filter_, filter_dict, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 312, in exact_filter if isinstance(getattr(model, key).property.columns[0].type, AttributeError: type object 'User' has no attribute 'email' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1306835 Title: V3 list users filter by email address throws exception Status in OpenStack Identity (Keystone): New Bug description: V3 list_user filter by email throws excpetion. There is no such attribute email. keystone.common.wsgi): 2014-04-11 23:09:00,422 ERROR type object 'User' has no attribute 'email' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 206, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 183, in wrapper return f(self, context, filters, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 284, in list_users hints=hints) File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper return f(self, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 328, in list_users ref_list = driver.list_users(hints or driver_hints.Hints()) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 227, in wrapper return f(self, hints, *args, **kwargs) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 132, in list_users user_refs = sql.filter_limit_query(User, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 374, in filter_limit_query query = _filter(model, query, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 326, in _filter filter_dict = exact_filter(model, filter_, filter_dict, hints) File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 312, in exact_filter if isinstance(getattr(model, key).property.columns[0].type, AttributeError: type object 'User' has no attribute 'email' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1306835/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1295212] Re: Revoke token intermittently dumps stacktrace - Icehouse M3
Looks like this is fixed now in upstream on 3/8 by Morgan ** Changed in: keystone Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1295212 Title: Revoke token intermittently dumps stacktrace - Icehouse M3 Status in OpenStack Identity (Keystone): Fix Released Bug description: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1295212/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1295212] [NEW] Revoke token intermittently dumps stacktrace - Icehouse M3
Public bug reported: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1295212 Title: Revoke token intermittently dumps stacktrace - Icehouse M3 Status in OpenStack Identity (Keystone): New Bug description: Revoke token intermittently dumps stack trace. I don't see "remove" method in RevokeTree object. May be I'm missing something (keystone.common.wsgi): 2014-03-20 03:17:55,054 ERROR 'RevokeTree' object has no attribute 'remove' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 205, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 316, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 416, in authenticate auth_context) File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/token.py", line 39, in authenticate response = self.provider.validate_token(token_id) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 118, in validate_token self._is_valid_token(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 227, in _is_valid_token self.check_revocation(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 156, in check_revocation return self.check_revocation_v3(token) File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 149, in check_revocation_v3 self.revoke_api.check_token(token_values) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 190, in check_token self._cache.synchronize_revoke_map(self.driver) File "/usr/lib/python2.7/dist-packages/keystone/contrib/revoke/core.py", line 79, in synchronize_revoke_map self.revoke_map.remove(e) AttributeError: 'RevokeTree' object has no attribute 'remove' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1295212/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1294735] [NEW] Disable domain doesn't disable users in the domain
Public bug reported: If you disable a domain, the users in the domain are not disabled. ** Affects: keystone Importance: Undecided Status: New ** Summary changed: - disable domain + Disable domain doesn't disable users in the domain -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1294735 Title: Disable domain doesn't disable users in the domain Status in OpenStack Identity (Keystone): New Bug description: If you disable a domain, the users in the domain are not disabled. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1294735/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1294737] [NEW] Disable domain doesn't remove domain scoped tokens
Public bug reported: Disable domain only revokes project scope token. It doesn't revoke domain scoped tokens ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1294737 Title: Disable domain doesn't remove domain scoped tokens Status in OpenStack Identity (Keystone): New Bug description: Disable domain only revokes project scope token. It doesn't revoke domain scoped tokens To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1294737/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1291465] [NEW] Allow user defined ids.
Public bug reported: This is a feature request We should alow user supplied domain_id/user_id. There are some policy defintions in policy.v2.cloudadmin.json which relies on user being on particular domain. We really don't want to have UUID in policy files to identify the domain_id. One way to achive this to bootstrap the entries via raw sql. It will be better if we allow the same to be achieved via REST api. So basically the ids' are given by the caller, If the caller doesn't send the id then generate UUID ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1291465 Title: Allow user defined ids. Status in OpenStack Identity (Keystone): New Bug description: This is a feature request We should alow user supplied domain_id/user_id. There are some policy defintions in policy.v2.cloudadmin.json which relies on user being on particular domain. We really don't want to have UUID in policy files to identify the domain_id. One way to achive this to bootstrap the entries via raw sql. It will be better if we allow the same to be achieved via REST api. So basically the ids' are given by the caller, If the caller doesn't send the id then generate UUID To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1291465/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1287414] [NEW] Keystone should not require CA key
Public bug reported: Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key. Basically the code should work without CA key. I believe it is not required for ssl setup and signing. [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1287414 Title: Keystone should not require CA key Status in OpenStack Identity (Keystone): New Bug description: Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key. Basically the code should work without CA key. I believe it is not required for ssl setup and signing. [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #ca_key = /etc/keystone/ssl/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1287414/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1284895] [NEW] GET v3/roles/{role_id}/users Lists users with a specified role.
Public bug reported:
This api is in the doc, but not in code
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1284895
Title:
GET v3/roles/{role_id}/users Lists users with a specified role.
Status in OpenStack Identity (Keystone):
New
Bug description:
This api is in the doc, but not in code
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1284895/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1282752] [NEW] Dogpile cache in catalog driver
Public bug reported: Actually this is a wishlist. We have caching in assignment and token. It will be really helpful if we have caching in catalog as this is mostly static data. This will greatly improve create token performance. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1282752 Title: Dogpile cache in catalog driver Status in OpenStack Identity (Keystone): New Bug description: Actually this is a wishlist. We have caching in assignment and token. It will be really helpful if we have caching in catalog as this is mostly static data. This will greatly improve create token performance. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1282752/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1282391] [NEW] Delete domain fails if the domain has domain grants
Public bug reported: UserDomainGrant and GroupDomainGrant has foriegn key relation with domains. So we can't delete a domain unless we remove the grants. On deletedomain we need to -- Delete users -- Delete groups -- Delete projects which should take care of removal of foreign key relations ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1282391 Title: Delete domain fails if the domain has domain grants Status in OpenStack Identity (Keystone): New Bug description: UserDomainGrant and GroupDomainGrant has foriegn key relation with domains. So we can't delete a domain unless we remove the grants. On deletedomain we need to -- Delete users -- Delete groups -- Delete projects which should take care of removal of foreign key relations To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1282391/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
