diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2019-09-12 16:46:26 +0000 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-10-22 16:56:09 -0700 |
commit | 65cb669e78521ad9012cba16f3071d741b8672c5 (patch) | |
tree | d46ae42fb4d64388f5c96e6fe8fcebbb589f8a2f | |
parent | d57733f4e8849331935951e8a6c3f93d755fea3e (diff) | |
download | keystone-65cb669e78521ad9012cba16f3071d741b8672c5.tar.gz |
Make system tokens work with domain-specific drivers13.0.3
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Conflicts:
keystone/server/flask/common.py
This backport has conflicts with keystone/server/flask/common.py due to
the ``token_ref`` variable being renamed to ``token``. This conflict is
resolved by continuing to use the old name, but the change is
functionally equivalent to what was proposed to all other branches.
This backport modifies the unit test to use the pre-flask-compatible
self.admin_request method instead of flask's test_client() context
manager.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
(cherry picked from commit 8f43b9cab00c86a455b2a9700b434e98b2e9c2d8)
(cherry picked from commit 417d2c0e6e6bef39f447681325ae5b0ba46b2e2c)
-rw-r--r-- | keystone/common/controller.py | 2 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 12 | ||||
-rw-r--r-- | releasenotes/notes/bug-1843609-8498b132222596b7.yaml | 9 |
3 files changed, 23 insertions, 0 deletions
diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 985c7ac79..204a23283 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -505,6 +505,8 @@ class V3Controller(provider_api.ProviderAPIMixin, wsgi.Application): return token_ref.domain_id elif token_ref.project_scoped: return token_ref.project_domain_id + elif token_ref.system_scoped: + return else: msg = _('No domain information specified as part of list request') LOG.warning(msg) diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index be2cb1b15..f1c09cae9 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -2440,6 +2440,18 @@ class TokenAPITests(object): allow_expired=True, expected_status=http_client.NOT_FOUND) + def test_system_scoped_token_works_with_domain_specific_drivers(self): + self.config_fixture.config( + group='identity', domain_specific_drivers_enabled=True + ) + + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user['id'], self.role['id'] + ) + + token_id = self.get_system_scoped_token() + self.admin_request(method='GET', path='/v3/users', token=token_id) + class TokenDataTests(object): """Test the data in specific token types.""" diff --git a/releasenotes/notes/bug-1843609-8498b132222596b7.yaml b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml new file mode 100644 index 000000000..19a140f9d --- /dev/null +++ b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`] + Fixed an issue where system-scoped tokens couldn't be used to list users + and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf + [identity] domain_specific_drivers_enabled=True`` and the API would + return an ``HTTP 401 Unauthorized``. These APIs now recognize + system-scoped tokens when using domain-specific drivers. |