diff options
author | Zuul <zuul@review.opendev.org> | 2019-10-22 20:17:37 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2019-10-22 20:17:37 +0000 |
commit | 32dbadd49b1286bba20d0fdc5bccac81b25f10a1 (patch) | |
tree | 166b7c15cedfee36a2be6dfa1b5fbbb00bdf4922 | |
parent | 1efa20fc36b24ae2f56ec4187115bf5e75bee32d (diff) | |
parent | e9612a672b88867e8df82d443a5ca08b1343a411 (diff) | |
download | keystone-32dbadd49b1286bba20d0fdc5bccac81b25f10a1.tar.gz |
Merge "Make system tokens work with domain-specific drivers" into stable/stein
-rw-r--r-- | keystone/server/flask/common.py | 2 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 16 | ||||
-rw-r--r-- | releasenotes/notes/bug-1843609-8498b132222596b7.yaml | 9 |
3 files changed, 27 insertions, 0 deletions
diff --git a/keystone/server/flask/common.py b/keystone/server/flask/common.py index 7a7b1d43f..fbb16ba87 100644 --- a/keystone/server/flask/common.py +++ b/keystone/server/flask/common.py @@ -929,6 +929,8 @@ class ResourceBase(flask_restful.Resource): return token_ref.domain_id elif token_ref.project_scoped: return token_ref.project_domain['id'] + elif token_ref.system_scoped: + return else: msg = 'No domain information specified as part of list request' tr_msg = _('No domain information specified as part of list ' diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index f057a3535..1f4b764a5 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -2612,6 +2612,22 @@ class TokenAPITests(object): allow_expired=True, expected_status=http_client.NOT_FOUND) + def test_system_scoped_token_works_with_domain_specific_drivers(self): + self.config_fixture.config( + group='identity', domain_specific_drivers_enabled=True + ) + + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user['id'], self.role['id'] + ) + + token_id = self.get_system_scoped_token() + headers = {'X-Auth-Token': token_id} + + app = self.loadapp() + with app.test_client() as c: + c.get('/v3/users', headers=headers) + class TokenDataTests(object): """Test the data in specific token types.""" diff --git a/releasenotes/notes/bug-1843609-8498b132222596b7.yaml b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml new file mode 100644 index 000000000..19a140f9d --- /dev/null +++ b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`] + Fixed an issue where system-scoped tokens couldn't be used to list users + and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf + [identity] domain_specific_drivers_enabled=True`` and the API would + return an ``HTTP 401 Unauthorized``. These APIs now recognize + system-scoped tokens when using domain-specific drivers. |