Public bug reported:
Our token model code will return a default of True for is_admin_project
if that attribute is not defined. The comment next to this says this is
for backward compatibility - but this seems inherently dangerous. We
should investigate what changes are needed (if any) to make the
Public bug reported:
The new capability of is_admin_project is currently only supported for
projects. However, the existing code for token models will return
is_admin_project as True if the attribute has not been set. Hence admin
domain tokens might get interpreted as cloud admin tokens. This is
c
This appears to be working as designed. Inherited assignments are only
applied to the children of the anchor point. Hence there are no
effective assignments on P.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engine
email is not a first class entity supported by Keystone. You can, using
the general ability to extend attributes (either with SQL or coming from
LDAP) cause such an attribute to be returned. Since it is not a first
class attribute, we do not show it in the standard API examples.
** Changed in: key
Public bug reported:
The existing developing.rst references the standard rolling upgrade
approach where contract can't remove anything until X+2 etc. This needs
to be updated for the new approach we have now merged.
** Affects: keystone
Importance: Undecided
Assignee: Henry Nash (
Hi
I think the puppet change is the right thing, I don't think there will
be much support for changing the keystone design here.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subs
Public bug reported:
The list role assignment will return the names (and domain names) of
each party in an assignment if the the "include_names" query parameter
is included.
However, this is not true for roles, which would be useful for domain
specific roles.
** Affects: keystone
Importance
Public bug reported:
Migrate 105 (in Newton) adds the password created_at attribute, and
defaults it to now(). However, this is not a server default, rather it
is a "write to all existing rows" at the time the DB is migrated. The
following rolling upgrade sequence will cause this to remain unset:
This bug is invalid, since:
1) Inheritance is only applied to children of the node that carries the actual
inherited assignment
2) Effective assignments only show the result of all group & inherited
assignments, as well as valid non-inedited direct user assignments - but do not
include the sour
by the IP address of your keystone server.
Alternatively, you can use the python-keystoneclient library to write a
little python example.
** Also affects: python-openstackclient
Importance: Undecided
Status: New
** Changed in: python-openstackclient
Assignee: (unassigned) =>
This is not a bug, it is working as designed. The list grants API only
lists explicit grants. If you want to see "effective" grants, you should
use he List Assignments API.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a membe
Public bug reported:
Commit ad7a7bd6ee36a7af61f88d98038d83aba25a9743
(https://review.openstack.org/#/c/296140/) moved driver interfaces for
core Identity into their own module (base.py in the backend directory).
For compatibility it included a class definition of IdentityDriverV8 in
the original l
So the v2 API is really a hang over from when creating a user with a
default project automatically granted you a role on that project,
leading to the concept of "user for a project". In v3 such an automatic
assignment does not occur, and in v3 we focus much more on the direct
assignments (i.e. user
Public bug reported:
If a trust is created with a list of roles, when the trust is used by
the trustee to obtain a token, we first make sure that the trustor still
has all the delegated roles. However, the way the code is written, if
any have been removed, we immediately fail the token creation, r
Public bug reported:
Our current logging is meant to provide different levels so that
operators can enable a suitable level (e.g. INFO) without going full
DEBUG (which operators consider potentially risky). INFO doesn't,
however, give you anything consistent.
** Affects: keystone
Importance
Public bug reported:
Currently, we require project admin or "higher" in order to issue a GET
/project call. This seems overly restrictive, since if you have a role
on a project, I would think you should be able to issue GET /project.
Further, there are cases (such as other projects wanting work w
legacy testing did not cover all the CRUD tests, which is why this was
not discovered when the V9 driver was created.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Changed in: keystone
Importance: Undecided => High
** Chan
Due to the fact that we use the msg both for a log and an exception, I
think this code is OK
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keyston
Public bug reported:
Our API allows you to query keystone for the version that is supports
(e.g. V2 and v3), as well as the minor version we support (e.g. 3.4) as
well as other status of the API. Looks like this was not updated for
the Liberty release:
versions['v3'] = {
ial update.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Henry Nash (henry-nash)
** Changed in: keystone
Importance: Undecided => High
--
You received this bug notification b
n the
field.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Henry Nash (henry-nash)
** Changed in: keystone
Importance: Undecided => Medium
--
You received this bug notificat
Public bug reported:
The Keystone V2 API is not mean to be able to "see" any user, groups or
projects outside of the default domain. APIs that list these entities
are careful to filter out any that are in non-default-domains. However,
if you know your entity ID we don't prevent you from doing di
any
inherited or group role assignments any user may have on this project.
** Affects: keystone
Importance: Undecided
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Henry Nash (henry-nash)
--
You received this
*** This bug is a duplicate of bug 1403539 ***
https://bugs.launchpad.net/bugs/1403539
I'm closing this defect, since it is essentially a duplicate of
https://bugs.launchpad.net/keystone/+bug/1403539. Please re-open if you
think there is a distinct defect here.
** This bug has been marked a
Public bug reported:
We introduced hierarchical projects in Kilo. The design (both then and
now) was that a project hierarchy existed in a single domain (i.e. all
the projects in the hierarchy were owned by the same domain).
We also still support (although disabled by default) the ability to
chan
I do not consider this a bug. We state that you must either explicitly
supply the domain_id of a group in the entity passed to the create call
OR use a domain scoped token. Since the ADMIN token is not a domain
scoped token, you must provide it in the entity itself (which, to be
honest, should be
r
we should add deprecation warning if we detect this situation for a
cycle?
** Affects: keystone
Importance: Undecided
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Summary changed:
- Creating a user/group without a domain should raise an exception
+ Creating a use
So this is by design.Iif you are using LDAP for Identity and want to use
multiple domain, then you need to enable domain specific drivers in
Identity. This is done using the identity config
domain_specific_drivers_enabled option. However, I'd recommend you read
the keystone confirguration.rst for
I don't think you want to do that for two reasons:
1) It is confusing
2) The keys in DRIVER dict are used by code to actually call the managers, so
you have just broken all the identity and assignment calls.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notifi
: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1466772
Title:
File based domain config checks contain u
= msg % {'u_id': user_id, 't_id': tenant_id}
LOG.warning(msg)
raise exception.Unauthorized(msg)
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notificatio
technically
one should also specify the type of the assignment in the delete (e.g.
USER_PROJECT/USER_DOMAIN and USER_PROJECT/GROUP_PROJECT).
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member
type
of the assignment in the delete (e.g. USER_PROJECT or GROUP_PROJECT).
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Public bug reported:
This lazy loading was created to avoid a circular dependancy between
identity and assignment. However it has a number of issues:
(Extracted from Bug #1410850)
First - if someone will call .setup_domain_drivers(...) multiple
times(perhaps we should add self.create() in this
time.
Domain configuration management are relatively infrequent operations,
but someone, somewhere will fall into this hole.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of
Public bug reported:
There are many cases in the assignment manager where it uses .driver. to
call unique methods in the driver - which is not required, since we
already have these methods patched into the class.
** Affects: keystone
Importance: Wishlist
Assignee: Henry Nash (henry
are misnamed:
delete_group()
delete_user()
These should, for clarity, be called:
delete_group_assignments()
delete_user_assignments()
This is already flagged by a TODO comment in the driver class in the
identity manager.
** Affects: keystone
Importance: Wishlist
Assignee: Henry Nash
Public bug reported:
These should be corrected.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https
Ah, now I get what is going on - it is overriding the default one in the
Driver class...
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bu
Ah, no, it is using this to get an override in the case of sql.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435315
Title:
get_
Public bug reported:
Both the v2 and v3 get catalog calls take an optional parameter called
'metadata' - but this is never used. It should be removed.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug no
: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435315
Title:
get_v3_catalog is in the driver section of catalog/core - it should be
in
Public bug reported:
The v3 catalog is created from the v2 catalog in the catolog
manager/driver, and the sql backend get_v3_catalog method is therefore
never called - and should be removed.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
You need to be using a domain scoped token for the keystone to pick up
the domain from the token...it looks like the token you are using is an
unscoped token
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering
No, we explicitly drop this constraint in the 062 migration. The reason
is that roles are stored in a different backend to the assignment table
- and it isn't safe to have FK relationships across backends.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug no
of the API can discover this.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1429557
to
by JSON Home.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Description changed:
The API spec for domain-config contains the resource relationship for
the full domain-config, however since it is possible to manipulate
fects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
** Description changed:
The manager API for domain-config database updates should raise a
DomainConfigNotFound exception if an explicit group or option as been
- specified in the url (i.e. passed
logging. We should switch off ldap debug logging for our unit tests.
** Affects: keystone
Importance: Critical
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Importance: High
Assignee: Henry Nash (henry-nash)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426448
Title:
Identity API spec for creating
: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426310
Title:
The identity API spec includes examples of the email attribute
Status in
Public bug reported:
The current filter testing for backends covers some of the filtering
combinations (such as startswith) . but not all of them. These should
be expanded to provide better coverage (especially as filtering is now
supported by SQL and Ldap backends).
** Affects: keystone
Im
new backend unit framework - and this
duplication should be removed.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Tags: test-improvement
--
You received this bug notification because you are a member of Yahoo!
Engineering Team
on startup and fail with a clear error
message.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Description changed:
- Although we know make it clear in our documentation and code comments
+ Although we now make it clear in our documentation
allow the
disabling of all existing assignments tests, a simple thing we can do to
let out-of-tree experimentation to at least use our test fixtures/utils
is not to error out if the assignment APIs return NotImplemented.
** Affects: keystone
Importance: Wishlist
Assignee: Henry Nash (henry
e
in resource. This stops proper decoupling between our components (and,
for instance, makes it harder to handle domain deletion via
notification).
We should drop the domain_id FK constraint on User & Group entities.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (he
: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1415959
Title:
Role cache details are actually using the assignment values
Status in OpenStack
rewriting many of the other assignment listing methods to simply call
list_role_assignments.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Tags: test-improvement
--
You received this bug notification because you are a member of
Public bug reported:
If we are using LDAP for Resource/Assignment, our code requires that you
are using it for Identity. We only hint at this in our code comments,
for instance in
https://review.openstack.org/#/c/144824/16/keystone/resource/backends/ldap.py
where we say:
# This is the only deep
t_api,
self.role_member['id'])
where we should really be passing self.role_api as opposed to
self.assignment_api in as a parameter.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keyston
Public bug reported:
We test the filtering and limiting of lists in test_backend.py - and do
this for projects, users and groups:
class LimitTests(filtering.FilterTests):
ENTITIES = ['user', 'group', 'project']
We don't do this for domain, since this would have problems with LDAP.
We should
Public bug reported:
The SQL identity driver leaves filtering on list_users_in_group and
list_groups_for_user to the controller. This is probably a reasonable
assumption - although the LDAP driver now does support at least
filtering on list_groups_for_user (this is included in
https://review.open
Public bug reported:
Our core LDAP driver makes a dangerous assumption that any attribute
that is equal to the string 'TRUE' or 'FALSE' must be a boolean and will
covert the value accordingly. For instance the following test:
def test_hn1(self):
ref = {
'name': 'TRUE',
Public bug reported:
A recent change [1] change the keystone config, but didn't update the
sample.
[1] https://review.openstack.org/#/c/126897/
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification be
: Henry Nash (henry-nash)
Status: New
** Tags: test-improvement
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1410750
Title:
test_backend has an sql specific test in it
Public bug reported:
test_list_users_filtered() in FilterTests in test_backend is incorrectly
named, since it actually tests uses, groups and projects.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Tags: test-improvement
--
You
protection.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Importance: Undecided => Low
** Changed in: keystone
Assignee: (unassigned) => Henry Nash (henry-nash)
--
You received this bug notification b
Public bug reported:
During the setup of the identity driver in identity/core, it stores a
reference to the assignment_api in the driveralthough this is never
used. This should be removed.
** Affects: keystone
Importance: Wishlist
Assignee: Henry Nash (henry-nash)
Status
config
options for which driver is used, I don't believe there is a "circular"
dependency. The comment should be corrected and be in the init() method
itself.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Description
Public bug reported:
Looks like an update to keystone.common.policy has not been reflected in
our keystone.conf sample, leading to this change being included in other
commits.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: In Progress
--
You
fects: keystone
Importance: Undecided
Assignee: Henry Nash (henry-nash)
Status: New
** Description changed:
Trying to delete a grant with an invalid role ID will throw a
RoleNotFound exception. However, the check for this is buried in the
driver...after the time the manager has al
Importance: Wishlist
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1406721
Title:
RoleNotFound exception not tested for grant APIs
.
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1406393
Title:
Doc string info on
This was due to a different side effect, not related what was described.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1404276
Titl
Public bug reported:
The /auth/projects API lists the projects a user has access to (i.e. has
any role on). This is sourced from the ldap assignment backed, which
(unlike the case for SQL) does not remove duplicate projects from the
list.
** Affects: keystone
Importance: Undecided
Public bug reported:
The ldap assignment driver really has no support for inherited role
assignments. This was not so bad when we just had domain->project
inheritance (since the ldap backend doesn't support domains anyway!),
but now that we have project->project inheritance, the ldap backend is
s
ave a columns attribute). The check should first ensure the
item we are looking at IS a ForeignKey, and then check the column.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Henry Nash (he
Public bug reported:
There are a few cases where, for backward compatibility, we honor older
config values to ensure that installations don't break on upgrade
between releases. A good example of this is the 'driver' config setting
from when we split up the original identity manager/backend - as w
Public bug reported:
Currently the assignment sql & ldap drivers to name cleansing on the
project name - this should really be done in the manager to avoid this
duplication.
** Affects: keystone
Importance: Low
Status: New
** Changed in: keystone
Importance: Undecided => Low
--
domains
for which the user has no effective role (a domain inherited role ONLY
applies to the projects within that domain, not to the domain itself).
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Importance
Public bug reported:
The LDAP assignment backend is missing some of the methods used by auth
to handle federation tokens, for instance, at least
get_roles_for_groups().
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
- The LDAP assignment backend is
roles can
end up in the resulting Keystone token.
The implication is that project scoped tokens would not get any group
roles that should be inherited from the domain.
** Affects: keystone
Importance: High
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
_DOMAIN_B_FROM_CUSTOMER = self._scope_request(
self.tokens['CUSTOMER_ASSERTION'], 'domain',
self.domainB['id']
The second statement is a duplicate of the first (formatting aside).
** Affects: keystone
Importance: Low
Assignee: Henry Nas
effective
assignments, we try and make sure we return a distinct list.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
** Changed in: keystone
Importance: Undecided => Medium
--
You received this bug notification because you are a mem
projects -
hence failing to include these projects in the list.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https
domains for
which the user has no effective role (a domain inherited role ONLY
applies to the projects within that domain, not to the domain itself).
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
** Summary changed:
- /auth/domains
Public bug reported:
When building the roles in a Keystone token from a saml2 token, we call
assignment_api.get_roles_for_groups() to add in any group roles. This
appears to ignore the inheritance flag on the assignment - and puts in
all group roles whether inherited or not. This means the wron
Yep, agreed - I had already told Tahmina to stop work on it. Marking as
Won't Fix.
** Changed in: keystone
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net
Well, with the identity driver set to LDAP there are no user records in
Kyetsone - the LDAP driver basically retrieves the user list from the
LDAP server directly. So there are "no users to remove without touching
LDAP". As the error message says - you need to go to your LDAP server
to manage use
Public bug reported:
In the 001 migration script of federation, we delete the tables in the
wrong order - we should delete the federation_protocol table first,
otherwise its FKs to the identity provider cause a problem
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry
Public bug reported:
The way test_backend uses domains leads to either many of the tests
being over overridden in test_backend_ldap, or just skipped (leading to
a risk that we are not sufficiently testing certain functionality - see
bug 1373113 as an example).
There is already a construct for get
Public bug reported:
The make_dirs() method in the utils.py file has a spelling error in the
doc string comments, namely:
Assure the directory exists and optionally set it's ownership
and permissions.
"It's" should be "its"
** Affects: keystone
Importance: Low
Assignee: TAHMIN
Public bug reported:
Some minor spelling mistakes could use correcting, namely:
# Domain3 has a user created before we switched on
# multiple backends, plus one created afterwards - and it's
# backend has not changed - so we should fined two.
Two mistakes in the same bloc
eone subscribes to a callback
notification. This seems overzealous and wasteful of electrons.
We should set the default notification log level to INFO in the
tests/core.py to suppress this.
** Affects: keystone
Importance: Medium
Assignee: Henry Nash (henry-nash)
Status: New
**
no problem...that's good to hear.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1362678
Title:
multi-domain has problems with LDA
Public bug reported:
There were some minor comments made in the version of the endpoint
policy extension that was merged:
https://review.openstack.org/#/c/115362/15
This should be tidied up.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notifica
Public bug reported:
It appears that our sql upgrade unit tests are broken for DBs that
properly support FKs (teardown fails due to FK constraints). I suspect
this is because we no longer have the downgrade steps below 034 (since
they were squashed).
** Affects: keystone
Importance: High
Public bug reported:
Somehow a set of bad aligned '}' has got into master in
test_versions.py, which is causing every patch to fail. This fixes it.
** Affects: keystone
Importance: Critical
Assignee: Henry Nash (henry-nash)
Status: In Progress
** Changed in
Public bug reported:
The assignment call list_projects_for_user() is commonly used - not
least every time you issue a scoped token. Ina test configuration,
this method was consuming 36% of all keystone clock time. This call
searches the assignments table (which has one row for every assignment)
Public bug reported:
In catalog/core.py, the abstract signature for a number of the update
methods are incorrect and don't match what is actually implemented in
the driver
** Affects: keystone
Importance: Low
Assignee: Henry Nash (henry-nash)
Status: New
** Chang
1 - 100 of 115 matches
Mail list logo