[Yahoo-eng-team] [Bug 1862802] [NEW] Avoid the default domain usage when the Domain is not specified in the project creation
Public bug reported: We should issue an exception here since if a v3 call does not explicitly specify the domain_id in the entity, it should be using a domain scoped token. However, the current tempest heat tests issue a v3 call without this. This is raised as bug #1283539. Once this is fixed, we should remove the line below and replace it with an error. Ahead of actually changing the code to raise an exception, we issue a deprecation warning. Since we can't change the current behavior of V3, because it will be api-breaking. We need to fix it in the Keystone microversion. https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L980-L998 ** Affects: keystone Importance: Undecided Status: New ** Tags: fix-requires-microversion -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1862802 Title: Avoid the default domain usage when the Domain is not specified in the project creation Status in OpenStack Identity (keystone): New Bug description: We should issue an exception here since if a v3 call does not explicitly specify the domain_id in the entity, it should be using a domain scoped token. However, the current tempest heat tests issue a v3 call without this. This is raised as bug #1283539. Once this is fixed, we should remove the line below and replace it with an error. Ahead of actually changing the code to raise an exception, we issue a deprecation warning. Since we can't change the current behavior of V3, because it will be api-breaking. We need to fix it in the Keystone microversion. https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L980-L998 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1862802/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1734871] Re: overcloud deployment fails on mistral action DeployStackAction
** Project changed: tripleo => keystone ** Changed in: keystone Milestone: queens-2 => None ** Changed in: keystone Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1734871 Title: overcloud deployment fails on mistral action DeployStackAction Status in OpenStack Identity (keystone): Triaged Bug description: When deploying tripleo from master repo, overcloud deploy fails with following error in stdout[1]: 2017-11-28 09:58:09 | u'version': u'2.0'}, 2017-11-28 09:58:09 | u'updated_at': u'2017-11-28 09:57:36'}, 2017-11-28 09:58:09 | u'message': u"Failed to run action [action_ex_id=3f5e4daa-d266-4f61-9c1c-ff3f226a604b, action_cls='', attributes='{}', params='{u'skip_deploy_identifier': False, u'container': u'overcloud', u'timeout': 140}']\n ERROR: Internal Error", 2017-11-28 09:58:09 | u'status': u'FAILED'} Looking at heat logs [2] i found following error: 2017-11-28 09:58:08.490 29964 ERROR heat.common.wsgi [req- 0a6cefb5-beb2-4b61-b293-a50ffe375699 admin admin - default default] Unexpected error occurred serving API: Remote error: BadRequest Invalid input for field 'roles/1/name': u'_member_' does not match '^[a-zA-Z0-9-]+$' Failed validating 'pattern' in schema['properties']['roles']['items']['properties']['name']: {'maxLength': 64, 'minLength': 1, 'pattern': '^[a-zA-Z0-9-]+$', 'type': 'string'} [1] https://logs.rdoproject.org/openstack-periodic/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset002-master-upload/5c3aa6c/undercloud/home/jenkins/overcloud_deploy.log.txt.gz [2] https://logs.rdoproject.org/openstack-periodic/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset002-master-upload/5c3aa6c/undercloud/var/log/heat/heat_api.log.txt.gz To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1734871/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1590805] Re: Revoking "admin" role from a group invalidates user token
According to your steps, you grant a group role, as you said, domain admin won't be part of this group, so the behavior is correct. If you want to domain admin still with this role, you should grant the role for user and not just for group. ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590805 Title: Revoking "admin" role from a group invalidates user token Status in OpenStack Identity (keystone): Invalid Bug description: Steps to reproduce 1. Login as domain admin 2. Create a new group and grant "admin" role to it. 3. Group will be empty with no users added to it.(Domain admin won't be part of this group) 4. Now revoke "admin" role from this group. 5. Token for domain admin will be invalidated and he/she has to login again. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590805/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1588356] [NEW] Glance must support keystone sessions
Public bug reported: Glance is one of the last OpenStack services left that does not support instantiating a client using an existing Keystone session object. This complicates handling glance-related code in other projects. Moving to Keystone sessions would also enable easier integration with various auth methods supported by Keystone as well as different Keystone API versions. ** Affects: glance Importance: Undecided Assignee: Raildo Mascena de Sousa Filho (raildo) Status: In Progress ** Changed in: glance Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1588356 Title: Glance must support keystone sessions Status in Glance: In Progress Bug description: Glance is one of the last OpenStack services left that does not support instantiating a client using an existing Keystone session object. This complicates handling glance-related code in other projects. Moving to Keystone sessions would also enable easier integration with various auth methods supported by Keystone as well as different Keystone API versions. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1588356/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1506986] [NEW] documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list
Public bug reported: The current documentation in the idendity API V3 just explain what is the API returns about subtree_as_ids and subtree_as_list. The same documentation needs to be add for parents_as_ids and parents_as_list We need to explain what is the difference in the API response between this two operations and what is the excepted use for it. ** Affects: keystone Importance: Undecided Status: New ** Summary changed: - documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list and the same for parents_as_ids and subtree_aslist + documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list ** Description changed: The current documentation in the idendity API V3 just explain what is the API returns about subtree_as_ids and subtree_as_list. - We need to explain what is the difference in the APi response between this two operations and what is the excepted use for it. + The same documentation needs to be add for parents_as_ids and parents_as_list + We need to explain what is the difference in the API response between this two operations and what is the excepted use for it. ** Changed in: keystone Assignee: (unassigned) => Raildo Mascena de Sousa Filho (raildo) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1506986 Title: documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list Status in Keystone: New Bug description: The current documentation in the idendity API V3 just explain what is the API returns about subtree_as_ids and subtree_as_list. The same documentation needs to be add for parents_as_ids and parents_as_list We need to explain what is the difference in the API response between this two operations and what is the excepted use for it. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1506986/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1474622] Re: test submit bug
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1474622 Title: test submit bug Status in Keystone: Invalid Bug description: test To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1474622/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1279446] Re: Glance image create should handle invalid location more gracefully.
The bug is already solved I tried that way and I got HTTP 400 error, as you may see: stack@raildo:~/devstack$ glance image-create --name test --location 'swift://example.com/container/obj' 400 Bad Request Location is missing user:password information. (HTTP 400) ** Changed in: glance Status: Triaged => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1279446 Title: Glance image create should handle invalid location more gracefully. Status in OpenStack Image Registry and Delivery Service (Glance): Invalid Bug description: On trying to create an image with invalid location uri, the following is the error message. HTTPInternalServerError (HTTP 500) This is not very informative. While it should be ideally 400 bad request. File "/opt/stack/glance/glance/store/__init__.py", line 273, in get_size_from_backend return store.get_size(loc) File "/opt/stack/glance/glance/store/swift.py", line 355, in get_size connection = self.get_connection(location) File "/opt/stack/glance/glance/store/swift.py", line 612, in get_connection raise exception.BadStoreUri(message=reason) BadStoreUri: Location is missing user:password information. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1279446/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1275744] [NEW] v3/projects /{project_id}/users/{user_id}/roles will not work for inherited roles
Public bug reported: When using inherites roles and the roles list call is made for the user in the project, with v3, inherited roles are not shown. If we use v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly and shown the inherited roles. ** Affects: keystone Importance: Undecided Status: New ** Description changed: When using inherites roles and the roles list call is made for the user in the project, with v3, inherited roles are not shown. If we use - v2.0 (v2.0/tenants / tenant_id {} / users / {user_id} / roles) works - correctly and shown the inherited roles. + v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly + and shown the inherited roles. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1275744 Title: v3/projects /{project_id}/users/{user_id}/roles will not work for inherited roles Status in OpenStack Identity (Keystone): New Bug description: When using inherites roles and the roles list call is made for the user in the project, with v3, inherited roles are not shown. If we use v2.0 (v2.0/tenants/{tenant_id}/users/{user_id}/roles) works correctly and shown the inherited roles. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1275744/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1261847] [NEW] User with admin role in one domain and role member in another domain, usually works as admin but can not generate a token using role member
Public bug reported: When create a user with admin role in a domain 'X' and assigning the same user role as a member 'Y' domain. When requesting a token in v3 keystone for the 'Y' domain, an error is returned to the user is not associated with this domain, and the user can not progress. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1261847 Title: User with admin role in one domain and role member in another domain, usually works as admin but can not generate a token using role member Status in OpenStack Identity (Keystone): New Bug description: When create a user with admin role in a domain 'X' and assigning the same user role as a member 'Y' domain. When requesting a token in v3 keystone for the 'Y' domain, an error is returned to the user is not associated with this domain, and the user can not progress. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1261847/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp