[Yahoo-eng-team] [Bug 1493126] Re: openstack group create fails while using admin token

Sat, 19 Sep 2015 13:01:55 -0700 

I do not consider this a bug.  We state that you must either explicitly
supply the domain_id of a group in the entity passed to the create call
OR use a domain scoped token.  Since the ADMIN token is not a domain
scoped token, you must provide it in the entity itself (which, to be
honest, should be the recommended way of doing it anyway).

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1493126

Title:
  openstack group create fails while using admin token

Status in Keystone:
  Invalid

Bug description:
  While using --os-token=ADMIN_TOKEN rather then admin user credentials
  fails with error message:

  $ openstack --os-token=<ADMIN_TOKEN> group create "qwerty"
  ERROR: openstack The request you have made requires authentication. (Disable 
debug mode to suppress these details.) (HTTP 401) (Request-ID: req-8b45e<...>)

  OS_USERNAME and OS_PASSWORD are set to ""

  Keystone log contains:

  2015-09-07 19:30:50.514850 14499 DEBUG keystone.middleware.core [-] RBAC: 
auth_context: {} process_request 
/opt/stack/keystone/keystone/middleware/core.py:209
  2015-09-07 19:30:50.533697 14499 INFO keystone.common.wsgi [-] POST 
http://172.16.51.28:5000/v3/groups
  2015-09-07 19:30:50.536504 14499 WARNING keystone.common.controller [-] RBAC: 
Bypassing authorization
  2015-09-07 19:30:50.539266 14499 WARNING keystone.common.utils [-] Couldn't 
find the auth context.
  2015-09-07 19:30:50.547398 14499 WARNING keystone.common.wsgi [-] 
Authorization failed. The request you have made requires authentication. 
(Disable debug mode to suppress these details.) (Disable debug mode to suppress 
these details.) from <IP>

  Using admin credentials works fine.

  ---------------
  Investigation gave me that the root cause of this is that during group 
creation [0] the token information is being extracted from context [1] which is 
{empty} for request authenticated using ADMIN_TOKEN [2]

  [0] 
https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L300
  [1] 
https://github.com/openstack/keystone/blob/master/keystone/common/utils.py#L523-L525
  [2] 
https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L72

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1493126/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to