Public bug reported:
The keystone.common.controller._get_domain_id_for_list_request comment says the
below:
"""Get the domain_id for a v3 list call.
If we running with multiple domain drivers, then the caller must
specify a domain_id either as a filter or as part of the token scope.
"""
But keystone instead of pulling the domain information from the token
scope (the "or" in that statement), keystone fails with an HTTP 401 if
you don't explicitly indicate the domain with the domain_id query
parameter, as shown with the following commands:
[root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups -H
"Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
HTTP/1.1 401 Unauthorized
content-length: 114
vary: X-Auth-Token
server: Apache/2.4.6 (Red Hat) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
date: Wed, 11 Mar 2015 20:50:31 GMT
content-type: application/json
www-authenticate: Keystone
uri="https://ip9-114-226-167.pok.stglabs.ibm.com:5000";
{"error": {"message": "The request you have made requires
authentication.", "code": 401, "title": "Unauthorized"}}
[root@mysystem ~]# curl -k -X GET https://127.0.0.1:5000/v3/auth/tokens -H
"Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
-H "X-Subject-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" | python -mjson.tool
{
"token": {
...
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id":
"0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9",
"name": "root"
}
}
}
[root@mysystem ~]# curl -k -i -X GET
https://127.0.0.1:5000/v3/groups?domain_id=default -H "Accept:
application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
HTTP/1.1 200 OK
...
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1431015
Title:
v3/users or groups calls not working without domain_id
Status in OpenStack Identity (Keystone):
New
Bug description:
The keystone.common.controller._get_domain_id_for_list_request comment says
the below:
"""Get the domain_id for a v3 list call.
If we running with multiple domain drivers, then the caller must
specify a domain_id either as a filter or as part of the token scope.
"""
But keystone instead of pulling the domain information from the token
scope (the "or" in that statement), keystone fails with an HTTP 401 if
you don't explicitly indicate the domain with the domain_id query
parameter, as shown with the following commands:
[root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups -H
"Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
HTTP/1.1 401 Unauthorized
content-length: 114
vary: X-Auth-Token
server: Apache/2.4.6 (Red Hat) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
date: Wed, 11 Mar 2015 20:50:31 GMT
content-type: application/json
www-authenticate: Keystone
uri="https://ip9-114-226-167.pok.stglabs.ibm.com:5000";
{"error": {"message": "The request you have made requires
authentication.", "code": 401, "title": "Unauthorized"}}
[root@mysystem ~]# curl -k -X GET https://127.0.0.1:5000/v3/auth/tokens -H
"Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
-H "X-Subject-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" | python -mjson.tool
{
"token": {
...
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id":
"0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9",
"name": "root"
}
}
}
[root@mysystem ~]# curl -k -i -X GET
https://127.0.0.1:5000/v3/groups?domain_id=default -H "Accept:
application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7"
HTTP/1.1 200 OK
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1431015/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
