diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2019-09-12 16:46:26 +0000 |
---|---|---|
committer | Matt Riedemann <mriedem.os@gmail.com> | 2019-10-22 19:15:00 +0000 |
commit | 417d2c0e6e6bef39f447681325ae5b0ba46b2e2c (patch) | |
tree | d0e17b50732c68dc4da81854739abb9ab167a555 | |
parent | 1403a9645d3dca20a681e0ffee3f5ac3a36fe0c6 (diff) | |
download | keystone-417d2c0e6e6bef39f447681325ae5b0ba46b2e2c.tar.gz |
Make system tokens work with domain-specific drivers
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Conflicts:
keystone/server/flask/common.py
This backport has conflicts with keystone/server/flask/common.py due to
a massive refactor to get keystone off python-paste that started in
Rocky and spilled over into Stein. The change is functionally equivalent
to the patch merged to Train but done in keystone/common/controller.py
instead of keystone/server/flask/common.py. There was also some changes
to the test since it didn't have a utility method to obtain a
system-scoped token.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
(cherry picked from commit 8f43b9cab00c86a455b2a9700b434e98b2e9c2d8)
-rw-r--r-- | keystone/common/controller.py | 2 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 16 | ||||
-rw-r--r-- | releasenotes/notes/bug-1843609-8498b132222596b7.yaml | 9 |
3 files changed, 27 insertions, 0 deletions
diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 2fe1f0672..a29407ef3 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -544,6 +544,8 @@ class V3Controller(provider_api.ProviderAPIMixin, wsgi.Application): return token.domain_id elif token.project_scoped: return token.project_domain['id'] + elif token.system_scoped: + return else: msg = _('No domain information specified as part of list request') LOG.warning(msg) diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index d7156953c..9253c8fbf 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -2395,6 +2395,22 @@ class TokenAPITests(object): allow_expired=True, expected_status=http_client.NOT_FOUND) + def test_system_scoped_token_works_with_domain_specific_drivers(self): + self.config_fixture.config( + group='identity', domain_specific_drivers_enabled=True + ) + + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user['id'], self.role['id'] + ) + + token_id = self.get_system_scoped_token() + headers = {'X-Auth-Token': token_id} + + app = self.loadapp() + with app.test_client() as c: + c.get('/v3/users', headers=headers) + class TokenDataTests(object): """Test the data in specific token types.""" diff --git a/releasenotes/notes/bug-1843609-8498b132222596b7.yaml b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml new file mode 100644 index 000000000..19a140f9d --- /dev/null +++ b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`] + Fixed an issue where system-scoped tokens couldn't be used to list users + and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf + [identity] domain_specific_drivers_enabled=True`` and the API would + return an ``HTTP 401 Unauthorized``. These APIs now recognize + system-scoped tokens when using domain-specific drivers. |