[Yahoo-eng-team] [Bug 1862802] [NEW] Avoid the default domain usage when the Domain is not specified in the project creation

2020-02-11 Thread Raildo Mascena de Sousa Filho 
Public bug reported:

We should issue an exception here since if a v3 call does not explicitly
specify the domain_id in the entity, it should be using a domain scoped
token.  However, the current tempest heat tests issue a v3 call without
this. This is raised as bug #1283539.  Once this is fixed, we should
remove the line below and replace it with an error. Ahead of actually
changing the code to raise an exception, we issue a deprecation warning.

Since we can't change the current behavior of V3, because it will be
api-breaking. We need to fix it in the Keystone microversion.

https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L980-L998

** Affects: keystone
 Importance: Undecided
 Status: New


** Tags: fix-requires-microversion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1862802

Title:
  Avoid the default domain usage when the Domain is not specified in the
  project creation

Status in OpenStack Identity (keystone):
  New

Bug description:
  We should issue an exception here since if a v3 call does not
  explicitly specify the domain_id in the entity, it should be using a
  domain scoped token.  However, the current tempest heat tests issue a
  v3 call without this. This is raised as bug #1283539.  Once this is
  fixed, we should remove the line below and replace it with an error.
  Ahead of actually changing the code to raise an exception, we issue a
  deprecation warning.

  Since we can't change the current behavior of V3, because it will be
  api-breaking. We need to fix it in the Keystone microversion.

  
https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L980-L998

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1862802/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1734871] Re: overcloud deployment fails on mistral action DeployStackAction

2017-11-28 Thread Raildo Mascena de Sousa Filho 
** Project changed: tripleo => keystone

** Changed in: keystone
Milestone: queens-2 => None

** Changed in: keystone
 Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1734871

Title:
  overcloud deployment fails on mistral action DeployStackAction

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  When deploying tripleo from master repo, overcloud deploy fails with
  following error in stdout[1]:

  2017-11-28 09:58:09 |   u'version': u'2.0'},
  2017-11-28 09:58:09 | u'updated_at': u'2017-11-28 09:57:36'},
  2017-11-28 09:58:09 |  u'message': u"Failed to run action 
[action_ex_id=3f5e4daa-d266-4f61-9c1c-ff3f226a604b, action_cls='', attributes='{}', 
params='{u'skip_deploy_identifier': False, u'container': u'overcloud', 
u'timeout': 140}']\n ERROR: Internal Error",
  2017-11-28 09:58:09 |  u'status': u'FAILED'}

  Looking at heat logs [2] i found following error:

  2017-11-28 09:58:08.490 29964 ERROR heat.common.wsgi [req-
  0a6cefb5-beb2-4b61-b293-a50ffe375699 admin admin - default default]
  Unexpected error occurred serving API: Remote error: BadRequest
  Invalid input for field 'roles/1/name': u'_member_' does not match
  '^[a-zA-Z0-9-]+$'

  Failed validating 'pattern' in 
schema['properties']['roles']['items']['properties']['name']:
  {'maxLength': 64,
   'minLength': 1,
   'pattern': '^[a-zA-Z0-9-]+$',
   'type': 'string'}

  
  [1] 
https://logs.rdoproject.org/openstack-periodic/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset002-master-upload/5c3aa6c/undercloud/home/jenkins/overcloud_deploy.log.txt.gz
  [2] 
https://logs.rdoproject.org/openstack-periodic/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset002-master-upload/5c3aa6c/undercloud/var/log/heat/heat_api.log.txt.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1734871/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1590805] Re: Revoking "admin" role from a group invalidates user token

2016-06-13 Thread Raildo Mascena de Sousa Filho 
According to your steps, you grant a group role, as you said, domain
admin won't be part of this group, so the behavior is correct. If you
want to domain admin still with this role, you should grant the role for
user and not just for group.


** Changed in: keystone
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590805

Title:
  Revoking "admin" role from a group invalidates user token

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Steps to reproduce

  1. Login as domain admin
  2. Create a new group and grant "admin" role to it.
  3. Group will be empty with no users added to it.(Domain admin won't be part 
of this group)
  4. Now revoke "admin" role from this group.
  5. Token for domain admin will be invalidated and he/she has to login again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590805/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1588356] [NEW] Glance must support keystone sessions

2016-06-02 Thread Raildo Mascena de Sousa Filho 
Public bug reported:

Glance is one of the last OpenStack services left that does not support
instantiating a client using an existing Keystone session object. This
complicates handling glance-related code in other projects.

Moving to Keystone sessions would also enable easier integration with
various auth methods supported by Keystone as well as different Keystone
API versions.

** Affects: glance
 Importance: Undecided
 Assignee: Raildo Mascena de Sousa Filho (raildo)
 Status: In Progress

** Changed in: glance
 Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1588356

Title:
  Glance must support keystone sessions

Status in Glance:
  In Progress

Bug description:
  Glance is one of the last OpenStack services left that does not
  support instantiating a client using an existing Keystone session
  object. This complicates handling glance-related code in other
  projects.

  Moving to Keystone sessions would also enable easier integration with
  various auth methods supported by Keystone as well as different
  Keystone API versions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1588356/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1506986] [NEW] documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list

2015-10-16 Thread Raildo Mascena de Sousa Filho 
Public bug reported:

The current documentation in the idendity API V3 just explain what is the API 
returns about subtree_as_ids and subtree_as_list.
The same documentation needs to be add for parents_as_ids and parents_as_list
We need to explain what is the difference in the API response between this two 
operations and what is the excepted use for it.

** Affects: keystone
 Importance: Undecided
 Status: New

** Summary changed:

- documentation needs to be clarified about differences between subtree_as_ids 
and subtree_as_list  and the same for parents_as_ids and  subtree_aslist
+ documentation needs to be clarified about differences between subtree_as_ids 
and subtree_as_list

** Description changed:

  The current documentation in the idendity API V3 just explain what is the API 
returns about subtree_as_ids and subtree_as_list.
- We need to explain what is the difference in the APi response between this 
two operations and what is the excepted use for it.
+ The same documentation needs to be add for parents_as_ids and parents_as_list
+ We need to explain what is the difference in the API response between this 
two operations and what is the excepted use for it.

** Changed in: keystone
 Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1506986

Title:
  documentation needs to be clarified about differences between
  subtree_as_ids and subtree_as_list

Status in Keystone:
  New

Bug description:
  The current documentation in the idendity API V3 just explain what is the API 
returns about subtree_as_ids and subtree_as_list.
  The same documentation needs to be add for parents_as_ids and parents_as_list
  We need to explain what is the difference in the API response between this 
two operations and what is the excepted use for it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1506986/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1279446] Re: Glance image create should handle invalid location more gracefully.

2014-07-15 Thread Raildo Mascena de Sousa Filho 
The bug is already solved

I tried that way and I got HTTP 400 error, as you may see:

stack@raildo:~/devstack$ glance image-create --name test --location 
'swift://example.com/container/obj'
400 Bad Request
Location is missing user:password information.
(HTTP 400)


** Changed in: glance
   Status: Triaged = Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1279446

Title:
  Glance image create should handle invalid location more gracefully.

Status in OpenStack Image Registry and Delivery Service (Glance):
  Invalid

Bug description:
  On trying to create an image with invalid location uri, the following is the 
error message.
  HTTPInternalServerError (HTTP 500)

  This is not very informative. While it should be ideally 400 bad
  request.

File /opt/stack/glance/glance/store/__init__.py, line 273, in 
get_size_from_backend
  return store.get_size(loc)
File /opt/stack/glance/glance/store/swift.py, line 355, in get_size
  connection = self.get_connection(location)
File /opt/stack/glance/glance/store/swift.py, line 612, in get_connection
  raise exception.BadStoreUri(message=reason)
  BadStoreUri: Location is missing user:password information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1279446/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1275744] [NEW] v3/projects /{project_id}/users/{user_id}/roles will not work for inherited roles

2014-02-03 Thread Raildo Mascena de Sousa Filho 
Public bug reported:

When using inherites roles and the roles list call is made ​​for the
user in the project, with v3, inherited roles are not shown. If we use
v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly
and shown the inherited roles.

** Affects: keystone
 Importance: Undecided
 Status: New

** Description changed:

  When using inherites roles and the roles list call is made ​​for the
  user in the project, with v3, inherited roles are not shown. If we use
- v2.0 (v2.0/tenants / tenant_id {} / users / {user_id} / roles) works
- correctly and shown the inherited roles.
+ v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly
+ and shown the inherited roles.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1275744

Title:
  v3/projects /{project_id}/users/{user_id}/roles will not work for
  inherited roles

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using inherites roles and the roles list call is made ​​for the
  user in the project, with v3, inherited roles are not shown. If we use
  v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly
  and shown the inherited roles.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1275744/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1261847] [NEW] User with admin role in one domain and role member in another domain, usually works as admin but can not generate a token using role member

2013-12-17 Thread Raildo Mascena de Sousa Filho 
Public bug reported:

When create a user with admin role in a domain 'X' and assigning the
same user role as a member 'Y' domain. When requesting a token in v3
keystone for the 'Y' domain, an error is returned to the user is not
associated with this domain, and the user can not progress.

** Affects: keystone
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1261847

Title:
  User with admin role in one domain and role member in another domain,
  usually works as admin but can not generate a token using role member

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When create a user with admin role in a domain 'X' and assigning the
  same user role as a member 'Y' domain. When requesting a token in v3
  keystone for the 'Y' domain, an error is returned to the user is not
  associated with this domain, and the user can not progress.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1261847/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp