Public bug reported: Do the following steps 1) Set up keystone for federation. 2) Generated a unscoped federated token 3) Generate a scoped token using token in step 2 4) Set up nova/glance for using keystone v3 API. 5) Try an image list command using following request
Request GET http://sp.machine:9292/v2/images Headers: Content-Type: application/json Accept: application/json X-Auth-Token: e92a49262a8d403db838d6494e4f9991 6) This will break the auth_token(middleware\auth_token.py) middleware with key error at the following place user = token['user'] user_domain_id = user['domain']['id'] user_domain_name = user['domain']['name'] in the function _build_user_headers. This is because the token does not contain any domain id or name under the user info, since federated tokens have no information about the user This can be fixed, simply by putting an if condition around the problematic code. I have tested this fix and then able to get image list and server list using glance and nova rest apis. Example vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py" 893 if 'domain' in user: 894 user_domain_id = user['domain']['id'] 895 user_domain_name = user['domain']['name'] Following is the token information, not that there is no domain under users { "token": { "methods": [ "saml2" ], "roles": [ { "id": "aad3b40ebb3b442f8fe85e88b21f3b4c", "name": "admin" } ], "expires_at": "2014-07-22T10:15:05.367852Z", "project": { "domain": { "id": "default", "name": "Default" }, "id": "6e99b7d923bc437381fd1b2b4d890339", "name": "admin" }, "catalog": [ { "endpoints": [ { "url": "https://127.0.0.1/keystone/main/v3", "interface": "internal", "region": "regionOne", "id": "f5dad391109542cba959d2e27c5fe3a2" }, { "url": "https://172.20.15.103:8443/keystone/main/v3", "interface": "public", "region": "regionOne", "id": "4f76970e4ab5497d9149d56d455499ac" }, { "url": "https://172.20.15.103:8443/keystone/admin/v3", "interface": "admin", "region": "regionOne", "id": "b85e76ca32f640c4a4d84068c71d3bf2" }, { "url": "https://172.20.15.103:8443/keystone/admin/v2.0", "interface": "admin", "region": "regionOne", "id": "1ae909491d754aeb8c8b8a5c5fa6ad47" }, { "url": "https://127.0.0.1/keystone/main/v2.0", "interface": "internal", "region": "regionOne", "id": "daf4ce3876d04285a106d86e0fea9bd1" }, { "url": "https://172.20.15.103:8443/keystone/main/v2.0", "interface": "public", "region": "regionOne", "id": "f763c80100954bc4805cf51b3dddb84b" } ], "type": "identity", "id": "0f79e21861a94fcd84b72cae3ebd79e5" }, { "endpoints": [ { "url": "http://172.20.15.103:9292", "interface": "admin", "region": "RegionOne", "id": "16ffa8cebadd4d239744ea168efcd109" }, { "url": "http://172.20.15.103:9292", "interface": "internal", "region": "RegionOne", "id": "944adaa070f44f21aa8a73fab15f07bb" }, { "url": "http://127.0.0.1:9292", "interface": "public", "region": "RegionOne", "id": "cd945f6a5ee8410bbfe8d3572e23ee5d" } ], "type": "image", "id": "fe5d67da897b4359810d95e2c591fe21" }, { "endpoints": [ { "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "admin", "region": "RegionOne", "id": "6d93d29279a6483783298eb67159b5c6" }, { "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "internal", "region": "RegionOne", "id": "9416222ad31a411294718b8fe4988daf" }, { "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "public", "region": "RegionOne", "id": "4d924ad3cb1a442a929536f90a1612b6" } ], "type": "volume", "id": "55ef917e57a540e9b0353f02dec22512" }, { "endpoints": [ { "url": "http://172.20.15.103:9696", "interface": "admin", "region": "RegionOne", "id": "5fe8a0a8f6624e2cae2e2a8556919c2f" }, { "url": "http://172.20.15.103:9696", "interface": "internal", "region": "RegionOne", "id": "0b9f9b8ce304460689e373c1e2a08c27" }, { "url": "http://127.0.0.1:9696", "interface": "public", "region": "RegionOne", "id": "bcb231d9baab4345b9efed6374fc2a43" } ], "type": "network", "id": "b8aaed7927834fd381f6621e678409c1" }, { "endpoints": [ { "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "admin", "region": "RegionOne", "id": "55489ebf6793489289556a590f0c464f" }, { "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "internal", "region": "RegionOne", "id": "a9da7a6cf58e45be889ac6b88d071ae4" }, { "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "public", "region": "RegionOne", "id": "249a8f15a5034cfd956ed0136d62404b" } ], "type": "compute", "id": "ef0ff2f7395f4523b3dd2197f3e243cf" }, { "endpoints": [ { "url": "http://172.20.15.103:8777", "interface": "admin", "region": "RegionOne", "id": "95c930d0d593422092380bea899996b2" }, { "url": "http://172.20.15.103:8777", "interface": "internal", "region": "RegionOne", "id": "2ca7e0515143455eb385b8feb5de9d2d" }, { "url": "http://127.0.0.1:8777", "interface": "public", "region": "RegionOne", "id": "5b86fbfe14914ba9ba3a4ab600717ef7" } ], "type": "metering", "id": "a028437e8c364bb78501bfb46619bd86" } ], "extras": {}, "user": { "id": "admin", "name": "admin" }, "issued_at": "2014-07-22T09:15:05.367875Z" } } ** Affects: keystone Importance: Undecided Status: New ** Description changed: Do the following steps 1) Set up keystone for federation. 2) Generated a unscoped federated token 3) Generate a scoped token using token in step 2 4) Set up nova/glance for using keystone v3 API. 5) Try an image list command using following request Request GET http://sp.machine:9292/v2/images Headers: - Content-Type: application/json - Accept: application/json - X-Auth-Token: e92a49262a8d403db838d6494e4f9991 + Content-Type: application/json + Accept: application/json + X-Auth-Token: e92a49262a8d403db838d6494e4f9991 6) This will break the auth_token(middleware\auth_token.py) middleware with key error at the following place - user = token['user'] - user_domain_id = user['domain']['id'] - user_domain_name = user['domain']['name'] + user = token['user'] + user_domain_id = user['domain']['id'] + user_domain_name = user['domain']['name'] in the function _build_user_headers. This is because the token does not contain any domain id or name under the user info, since federated tokens have no information about the user - Following is the token information, not that there is no domain under - users + This can be fixed, simply by putting an if condition around the + problematic code. I have tested this fix and then able to get image list + and server list using glance and nova rest apis. + + Example + vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py" + + + 893 if 'domain' in user: + 894 user_domain_id = user['domain']['id'] + 895 user_domain_name = user['domain']['name'] + + + Following is the token information, not that there is no domain under users { - "token": { - "methods": [ - "saml2" - ], - "roles": [ - { - "id": "aad3b40ebb3b442f8fe85e88b21f3b4c", - "name": "admin" - } - ], - "expires_at": "2014-07-22T10:15:05.367852Z", - "project": { - "domain": { - "id": "default", - "name": "Default" - }, - "id": "6e99b7d923bc437381fd1b2b4d890339", - "name": "admin" - }, - "catalog": [ - { - "endpoints": [ - { - "url": "https://127.0.0.1/keystone/main/v3", - "interface": "internal", - "region": "regionOne", - "id": "f5dad391109542cba959d2e27c5fe3a2" - }, - { - "url": "https://172.20.15.103:8443/keystone/main/v3", - "interface": "public", - "region": "regionOne", - "id": "4f76970e4ab5497d9149d56d455499ac" - }, - { - "url": "https://172.20.15.103:8443/keystone/admin/v3", - "interface": "admin", - "region": "regionOne", - "id": "b85e76ca32f640c4a4d84068c71d3bf2" - }, - { - "url": "https://172.20.15.103:8443/keystone/admin/v2.0", - "interface": "admin", - "region": "regionOne", - "id": "1ae909491d754aeb8c8b8a5c5fa6ad47" - }, - { - "url": "https://127.0.0.1/keystone/main/v2.0", - "interface": "internal", - "region": "regionOne", - "id": "daf4ce3876d04285a106d86e0fea9bd1" - }, - { - "url": "https://172.20.15.103:8443/keystone/main/v2.0", - "interface": "public", - "region": "regionOne", - "id": "f763c80100954bc4805cf51b3dddb84b" - } - ], - "type": "identity", - "id": "0f79e21861a94fcd84b72cae3ebd79e5" - }, - { - "endpoints": [ - { - "url": "http://172.20.15.103:9292", - "interface": "admin", - "region": "RegionOne", - "id": "16ffa8cebadd4d239744ea168efcd109" - }, - { - "url": "http://172.20.15.103:9292", - "interface": "internal", - "region": "RegionOne", - "id": "944adaa070f44f21aa8a73fab15f07bb" - }, - { - "url": "http://127.0.0.1:9292", - "interface": "public", - "region": "RegionOne", - "id": "cd945f6a5ee8410bbfe8d3572e23ee5d" - } - ], - "type": "image", - "id": "fe5d67da897b4359810d95e2c591fe21" - }, - { - "endpoints": [ - { - "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", - "interface": "admin", - "region": "RegionOne", - "id": "6d93d29279a6483783298eb67159b5c6" - }, - { - "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", - "interface": "internal", - "region": "RegionOne", - "id": "9416222ad31a411294718b8fe4988daf" - }, - { - "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339", - "interface": "public", - "region": "RegionOne", - "id": "4d924ad3cb1a442a929536f90a1612b6" - } - ], - "type": "volume", - "id": "55ef917e57a540e9b0353f02dec22512" - }, - { - "endpoints": [ - { - "url": "http://172.20.15.103:9696", - "interface": "admin", - "region": "RegionOne", - "id": "5fe8a0a8f6624e2cae2e2a8556919c2f" - }, - { - "url": "http://172.20.15.103:9696", - "interface": "internal", - "region": "RegionOne", - "id": "0b9f9b8ce304460689e373c1e2a08c27" - }, - { - "url": "http://127.0.0.1:9696", - "interface": "public", - "region": "RegionOne", - "id": "bcb231d9baab4345b9efed6374fc2a43" - } - ], - "type": "network", - "id": "b8aaed7927834fd381f6621e678409c1" - }, - { - "endpoints": [ - { - "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", - "interface": "admin", - "region": "RegionOne", - "id": "55489ebf6793489289556a590f0c464f" - }, - { - "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", - "interface": "internal", - "region": "RegionOne", - "id": "a9da7a6cf58e45be889ac6b88d071ae4" - }, - { - "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339", - "interface": "public", - "region": "RegionOne", - "id": "249a8f15a5034cfd956ed0136d62404b" - } - ], - "type": "compute", - "id": "ef0ff2f7395f4523b3dd2197f3e243cf" - }, - { - "endpoints": [ - { - "url": "http://172.20.15.103:8777", - "interface": "admin", - "region": "RegionOne", - "id": "95c930d0d593422092380bea899996b2" - }, - { - "url": "http://172.20.15.103:8777", - "interface": "internal", - "region": "RegionOne", - "id": "2ca7e0515143455eb385b8feb5de9d2d" - }, - { - "url": "http://127.0.0.1:8777", - "interface": "public", - "region": "RegionOne", - "id": "5b86fbfe14914ba9ba3a4ab600717ef7" - } - ], - "type": "metering", - "id": "a028437e8c364bb78501bfb46619bd86" - } - ], - "extras": {}, - "user": { - "id": "admin", - "name": "admin" - }, - "issued_at": "2014-07-22T09:15:05.367875Z" - } + "token": { + "methods": [ + "saml2" + ], + "roles": [ + { + "id": "aad3b40ebb3b442f8fe85e88b21f3b4c", + "name": "admin" + } + ], + "expires_at": "2014-07-22T10:15:05.367852Z", + "project": { + "domain": { + "id": "default", + "name": "Default" + }, + "id": "6e99b7d923bc437381fd1b2b4d890339", + "name": "admin" + }, + "catalog": [ + { + "endpoints": [ + { + "url": "https://127.0.0.1/keystone/main/v3", + "interface": "internal", + "region": "regionOne", + "id": "f5dad391109542cba959d2e27c5fe3a2" + }, + { + "url": "https://172.20.15.103:8443/keystone/main/v3", + "interface": "public", + "region": "regionOne", + "id": "4f76970e4ab5497d9149d56d455499ac" + }, + { + "url": "https://172.20.15.103:8443/keystone/admin/v3", + "interface": "admin", + "region": "regionOne", + "id": "b85e76ca32f640c4a4d84068c71d3bf2" + }, + { + "url": "https://172.20.15.103:8443/keystone/admin/v2.0", + "interface": "admin", + "region": "regionOne", + "id": "1ae909491d754aeb8c8b8a5c5fa6ad47" + }, + { + "url": "https://127.0.0.1/keystone/main/v2.0", + "interface": "internal", + "region": "regionOne", + "id": "daf4ce3876d04285a106d86e0fea9bd1" + }, + { + "url": "https://172.20.15.103:8443/keystone/main/v2.0", + "interface": "public", + "region": "regionOne", + "id": "f763c80100954bc4805cf51b3dddb84b" + } + ], + "type": "identity", + "id": "0f79e21861a94fcd84b72cae3ebd79e5" + }, + { + "endpoints": [ + { + "url": "http://172.20.15.103:9292", + "interface": "admin", + "region": "RegionOne", + "id": "16ffa8cebadd4d239744ea168efcd109" + }, + { + "url": "http://172.20.15.103:9292", + "interface": "internal", + "region": "RegionOne", + "id": "944adaa070f44f21aa8a73fab15f07bb" + }, + { + "url": "http://127.0.0.1:9292", + "interface": "public", + "region": "RegionOne", + "id": "cd945f6a5ee8410bbfe8d3572e23ee5d" + } + ], + "type": "image", + "id": "fe5d67da897b4359810d95e2c591fe21" + }, + { + "endpoints": [ + { + "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", + "interface": "admin", + "region": "RegionOne", + "id": "6d93d29279a6483783298eb67159b5c6" + }, + { + "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", + "interface": "internal", + "region": "RegionOne", + "id": "9416222ad31a411294718b8fe4988daf" + }, + { + "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339", + "interface": "public", + "region": "RegionOne", + "id": "4d924ad3cb1a442a929536f90a1612b6" + } + ], + "type": "volume", + "id": "55ef917e57a540e9b0353f02dec22512" + }, + { + "endpoints": [ + { + "url": "http://172.20.15.103:9696", + "interface": "admin", + "region": "RegionOne", + "id": "5fe8a0a8f6624e2cae2e2a8556919c2f" + }, + { + "url": "http://172.20.15.103:9696", + "interface": "internal", + "region": "RegionOne", + "id": "0b9f9b8ce304460689e373c1e2a08c27" + }, + { + "url": "http://127.0.0.1:9696", + "interface": "public", + "region": "RegionOne", + "id": "bcb231d9baab4345b9efed6374fc2a43" + } + ], + "type": "network", + "id": "b8aaed7927834fd381f6621e678409c1" + }, + { + "endpoints": [ + { + "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", + "interface": "admin", + "region": "RegionOne", + "id": "55489ebf6793489289556a590f0c464f" + }, + { + "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", + "interface": "internal", + "region": "RegionOne", + "id": "a9da7a6cf58e45be889ac6b88d071ae4" + }, + { + "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339", + "interface": "public", + "region": "RegionOne", + "id": "249a8f15a5034cfd956ed0136d62404b" + } + ], + "type": "compute", + "id": "ef0ff2f7395f4523b3dd2197f3e243cf" + }, + { + "endpoints": [ + { + "url": "http://172.20.15.103:8777", + "interface": "admin", + "region": "RegionOne", + "id": "95c930d0d593422092380bea899996b2" + }, + { + "url": "http://172.20.15.103:8777", + "interface": "internal", + "region": "RegionOne", + "id": "2ca7e0515143455eb385b8feb5de9d2d" + }, + { + "url": "http://127.0.0.1:8777", + "interface": "public", + "region": "RegionOne", + "id": "5b86fbfe14914ba9ba3a4ab600717ef7" + } + ], + "type": "metering", + "id": "a028437e8c364bb78501bfb46619bd86" + } + ], + "extras": {}, + "user": { + "id": "admin", + "name": "admin" + }, + "issued_at": "2014-07-22T09:15:05.367875Z" + } } -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1346820 Title: Middeware auth_token fails with scoped federated saml token Status in OpenStack Identity (Keystone): New Bug description: Do the following steps 1) Set up keystone for federation. 2) Generated a unscoped federated token 3) Generate a scoped token using token in step 2 4) Set up nova/glance for using keystone v3 API. 5) Try an image list command using following request Request GET http://sp.machine:9292/v2/images Headers: Content-Type: application/json Accept: application/json X-Auth-Token: e92a49262a8d403db838d6494e4f9991 6) This will break the auth_token(middleware\auth_token.py) middleware with key error at the following place user = token['user'] user_domain_id = user['domain']['id'] user_domain_name = user['domain']['name'] in the function _build_user_headers. This is because the token does not contain any domain id or name under the user info, since federated tokens have no information about the user This can be fixed, simply by putting an if condition around the problematic code. I have tested this fix and then able to get image list and server list using glance and nova rest apis. Example vim "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py" 893 if 'domain' in user: 894 user_domain_id = user['domain']['id'] 895 user_domain_name = user['domain']['name'] Following is the token information, not that there is no domain under users { "token": { "methods": [ "saml2" ], "roles": [ { "id": "aad3b40ebb3b442f8fe85e88b21f3b4c", "name": "admin" } ], "expires_at": "2014-07-22T10:15:05.367852Z", "project": { "domain": { "id": "default", "name": "Default" }, "id": "6e99b7d923bc437381fd1b2b4d890339", "name": "admin" }, "catalog": [ { "endpoints": [ { "url": "https://127.0.0.1/keystone/main/v3", "interface": "internal", "region": "regionOne", "id": "f5dad391109542cba959d2e27c5fe3a2" }, { "url": "https://172.20.15.103:8443/keystone/main/v3", "interface": "public", "region": "regionOne", "id": "4f76970e4ab5497d9149d56d455499ac" }, { "url": "https://172.20.15.103:8443/keystone/admin/v3", "interface": "admin", "region": "regionOne", "id": "b85e76ca32f640c4a4d84068c71d3bf2" }, { "url": "https://172.20.15.103:8443/keystone/admin/v2.0", "interface": "admin", "region": "regionOne", "id": "1ae909491d754aeb8c8b8a5c5fa6ad47" }, { "url": "https://127.0.0.1/keystone/main/v2.0", "interface": "internal", "region": "regionOne", "id": "daf4ce3876d04285a106d86e0fea9bd1" }, { "url": "https://172.20.15.103:8443/keystone/main/v2.0", "interface": "public", "region": "regionOne", "id": "f763c80100954bc4805cf51b3dddb84b" } ], "type": "identity", "id": "0f79e21861a94fcd84b72cae3ebd79e5" }, { "endpoints": [ { "url": "http://172.20.15.103:9292", "interface": "admin", "region": "RegionOne", "id": "16ffa8cebadd4d239744ea168efcd109" }, { "url": "http://172.20.15.103:9292", "interface": "internal", "region": "RegionOne", "id": "944adaa070f44f21aa8a73fab15f07bb" }, { "url": "http://127.0.0.1:9292", "interface": "public", "region": "RegionOne", "id": "cd945f6a5ee8410bbfe8d3572e23ee5d" } ], "type": "image", "id": "fe5d67da897b4359810d95e2c591fe21" }, { "endpoints": [ { "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "admin", "region": "RegionOne", "id": "6d93d29279a6483783298eb67159b5c6" }, { "url": "http://172.20.15.103:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "internal", "region": "RegionOne", "id": "9416222ad31a411294718b8fe4988daf" }, { "url": "http://127.0.0.1:8776/v1/6e99b7d923bc437381fd1b2b4d890339", "interface": "public", "region": "RegionOne", "id": "4d924ad3cb1a442a929536f90a1612b6" } ], "type": "volume", "id": "55ef917e57a540e9b0353f02dec22512" }, { "endpoints": [ { "url": "http://172.20.15.103:9696", "interface": "admin", "region": "RegionOne", "id": "5fe8a0a8f6624e2cae2e2a8556919c2f" }, { "url": "http://172.20.15.103:9696", "interface": "internal", "region": "RegionOne", "id": "0b9f9b8ce304460689e373c1e2a08c27" }, { "url": "http://127.0.0.1:9696", "interface": "public", "region": "RegionOne", "id": "bcb231d9baab4345b9efed6374fc2a43" } ], "type": "network", "id": "b8aaed7927834fd381f6621e678409c1" }, { "endpoints": [ { "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "admin", "region": "RegionOne", "id": "55489ebf6793489289556a590f0c464f" }, { "url": "http://172.20.15.103:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "internal", "region": "RegionOne", "id": "a9da7a6cf58e45be889ac6b88d071ae4" }, { "url": "http://127.0.0.1:8774/v2/6e99b7d923bc437381fd1b2b4d890339", "interface": "public", "region": "RegionOne", "id": "249a8f15a5034cfd956ed0136d62404b" } ], "type": "compute", "id": "ef0ff2f7395f4523b3dd2197f3e243cf" }, { "endpoints": [ { "url": "http://172.20.15.103:8777", "interface": "admin", "region": "RegionOne", "id": "95c930d0d593422092380bea899996b2" }, { "url": "http://172.20.15.103:8777", "interface": "internal", "region": "RegionOne", "id": "2ca7e0515143455eb385b8feb5de9d2d" }, { "url": "http://127.0.0.1:8777", "interface": "public", "region": "RegionOne", "id": "5b86fbfe14914ba9ba3a4ab600717ef7" } ], "type": "metering", "id": "a028437e8c364bb78501bfb46619bd86" } ], "extras": {}, "user": { "id": "admin", "name": "admin" }, "issued_at": "2014-07-22T09:15:05.367875Z" } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1346820/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp