Public bug reported:
When performing WebSSO authentication (i.e. openid connect), if there
are multiple identity providers exist, regardless of protocol and
mapping association, Keystone will yield the following error.
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR
keystone.se
Public bug reported:
Currently, there are number of places in Ironic that does endpoint lookup from
the Keystone service catalog. By default, keystoneauth set it to 'public' if
not specified.
Description
===
We are supposed to be able to select the endpoint type by specify either the
'i
Public bug reported:
Service-service policies for credential APIs are broken in stable/rocky.
More specifically, Get/Update/Delete no longer works with the following
policies.
"identity:get_credential": "rule:admin_required or
user_id:%(target.credential.user_id)s"
"identity:update_credential":
Public bug reported:
Using using an ephemeral user mapping for X.509 tokenless auth, Keystone
service will return an HTTP 500 internal error and the we'll see a
traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR
keystone.common.wsgi Traceb
Public bug reported:
One of the most useful features of X.509 tokenless is to enable services
to validate user tokens without having to obtain a service auth token.
However, with the migration to system scope, this feature is effectively
broken as the default policies had been updated to require a
Public bug reported:
NOTE: This bug impacts stable/rocky and possibly stable/queens release.
Master branch is not impacted.
The "RULE_ADMIN_OR_TARGET_DOMAIN" which protecting the "get_domain" API
no longer works in stable/rocky.
https://github.com/openstack/keystone/blob/stable/rocky/keystone/co
Public bug reported:
Looks like the description for domain re-enable is incorrect.
https://developer.openstack.org/api-ref/identity/v3/?expanded=update-
domain-detail#domains
"Users can only authorize against an enabled domain (and any of its
projects). In addition, users can only authenticate i
Public bug reported:
When assigning both prior role and implied role in the implied role
chain (that is more than two levels deep) to a given user for a given
project, you'll see a rather confusing and misleading error in the
Keystone log that looks like this.
Nov 16 11:50:03 keystone devstack@ke
Public bug reported:
Description
===
When configure Ironic to boot from volume, 'openstack baremetal node validate
$NODE_UUID' still fails with something like "Cannot validate image information
for node 6977c516-976d-456b-9d71-daa56f589302 because one or more parameters
are missing from
Public bug reported:
Description
===
Not sure if this is a bug or by design. But in any case, we need to clarify how
to the volume connectors are created when boot from volume. According the doc
(https://docs.openstack.org/ironic/pike/admin/boot-from-volume.html), we need
to create an i
Public bug reported:
With the UUID token provider and WebSSO enabled. A token obtain via
WebSSO will not be able to validate in Keystone. In the Keystone log,
you'll see something similar to these.
46386 (keystone.token.providers.common): 2018-03-23 20:24:09,581 DEBUG common
_populate_roles User
Public bug reported:
Steps to reproduce:
1. clone devstack, latest branch
2. Create a local.conf with these lines at the end
disable_all_services
enable_plugin keystone git://git.openstack.org/openstack/keystone.git
enable_service rabbitmq, mysql, keystone, keystone-saml2-federation
This shoul
Public bug reported:
Keystone log is also unhelpful. All we got is
"ERROR idp _sign_assertion Error when signing assertion, reason: [Errno
2] No such file or directory"
When the xmlsec1 package is absent.
We may need to add a check here
https://github.com/openstack/keystone/blob/master/keyston
Public bug reported:
Attempting to delete a domain which contains users and projects may
yield an UnexpectedError similiar to this
Sep 21 19:37:17 vagrant-openSUSE-Leap devstack@keystone.service[23894]: DEBUG
keystone.common.sql.core [None req-707ec264-b10c-4079-94bb-2af01db58aab None
None] Con
Public bug reported:
Occasionally an API (i.e. DELETE /v3/domains/) receives an
HTTP 500 response. However, all we got from keystone log is this
2017-09-12 23:20:37.995 7321 WARNING keystone.common.wsgi
[req-e1060272-c8b8-4d51-94f5-98b2b4d84a43
960c1d5dba8847cfbde96764ee7747bb - default default -
I also ran into this exact same issue. We have mysql as the backend. And
the datetime type is not timezone aware. Neither "--verbose" and "--
debug" are effective for the online_data_migrations command as they are
not being taken into consideration. I ended up manually printing out the
traceback by
Public bug reported:
It should've been either 400 or 404. Steps to reproduce.
1. install a vanilla devstack
2. use "openstack group list" to find a group ID. Any group will do. i.e.
openstack group list
+--+---+
| ID | Name
Public bug reported:
Creating a new role using V2 APIs no longer allow spaces in the role
description. Looks like it was broken since the introduction of JSON
schema. See
https://github.com/openstack/keystone/blob/master/keystone/assignment/schema.py#L20
Instead of parameter_types.id_string. It
Public bug reported:
Description
===
With the move to Castellan, Nova's key manager configuration is no longer
backward compatible. Furthermore, looks like it hasn't been tested with grenade
gate either. Otherwise, it would've easily break theory #1: New code should
work with old config
Public bug reported:
Description
===
Ephemeral storage encryption is broken because of interface mismatch. The
default key manager (Castellan with Barbican)'s create_key() interface required
at least 4 arguments. See
https://github.com/openstack/castellan/blob/0.4.0/castellan/key_manage
Public bug reported:
094_add_federated_user_table.py failed functional test if the default db
engine is MyISAM for MySQL. We need to follow the established pattern of
adding the following
mysql_engine='InnoDB',
mysql_charset='utf8'
to the script during table creation.
Here's an example of one o
Public bug reported:
With policy.v3cloudsample.json, domain admin of a domain is unable to
setup a prior domain-specific role to imply another domain-specific role
in the same domain. Per design, this is allowed.
To reproduce.
1. Create "DomainA"
2. Create domain user "foo" in "DomainA"
3. Make
Public bug reported:
Domain-specific roles are visible in their owning domains only.
Therefore, assigning a domain-specific role in a domain to users for a
project in another domain should be prohibited.
To reproduce:
1. create a domain-specific "foo_domain_role" in the "foo" domain.
2. create a
Public bug reported:
By design, domain-specific roles are visible within their owning domains
only. In other words, domain-specific role in domain "foo" should not be
able to imply a domain-specific role from domain "bar".
To reproduce:
1. create a domain-specific role "foo_domain_role" in domai
Public bug reported:
Global roles should only be able to imply other global roles, it should
not be able to imply domain-specific roles. Domain-specific role
visibility should be limited to its owning domain only.
To reproduce:
1. create a domain-specific role "foo_domain_role" in domain "foo".
Public bug reported:
Per spec, if user's default_project_id is invalid (i.e. either it is
bogus, disabled, or user have no roles assigned on it), it should be
ignored at token request. In otherwise, it should result in an unscoped
token.
With the domain-is-project changes recently, if you acciden
Public bug reported:
For Federation, the identity is validated outside of Keystone and its
attributes are conveyed in the request environment. One of them is
REMOTE_USER. If this attribute is present, Keystone will
indiscriminately invoke the "external" plugin to "authenticate"
https://github.com
Public bug reported:
When creating a project with name which exceeds the maximum length (of
64 chars), we get a very generic error message.
openstack --os-identity-api-version 3 --os-auth-url https://localhost:5000/v3
--os-username admin --os-user-domain-id default --os-project-name admin
--os-
Public bug reported:
A mapping which yield no valid identity (i.e. no local user or group)
will result in HTTP 500 instead of 401. There are two issues.
1. We automatically return a default ephemeral user mapped_properties when
mapping yield no valid local identity or groups.
2. In the mapped a
Public bug reported:
For federation, we no longer able to map a remote user to a local user
because the JSON schema does not allow the "type" attributes in the user
object. This is a legit attribute and must be set to "local" in order to
be able to map to a local user.
To reproduce the problem:
** Also affects: keystone/liberty
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541621
Title:
Invalid fernet X-Subject
Public bug reported:
When a scoped fernet token is no longer valid (i.e. all the roles had
been removed from the scope), token validation should result in 404
instead of 401. According to Keystone V3 API spec, 401 is returned only
if X-Auth-Token is invalid. Invalid X-Subject-Token should yield 40
This bug can be addressed outside of Keystone by passing the appropriate
X-Forwarded-* headers from the proxy or LB.
** Changed in: keystone
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
When running Keystone in INFO mode, the LDAP error is not visible from
API.
This is expected behavior as 500 is returned for server
misconfiguration.
** Changed in: keystone
Status: Confirmed => Invalid
** Changed in: keystone
Importance: Medium => Undecided
--
You received this bug
Public bug reported:
Step to reproduce:
1. enable domain_specific drivers in keystone.conf
domain_specific_drivers_enabled = true
domain_configurations_from_database = false
domain_config_dir = /etc/keystone/domains
2. set the global list_limit to 2 in keystone.conf
[default]
list_li
Public bug reported:
Public base URL is returned in the links even though the request is
coming from admin URL. Set both admin_endpoint and public_endpoint in
keystone.conf and notice that public_endpoint is always use as the base
URL in the links. i.e.
$curl -k -s -H 'X-Auth-Token: d5363c1fe95
Public bug reported:
Our LDAP lookup users in group logic assumes that the member attribute
contains the user DN.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L168
However, this is not the case for posixGroup (RFC 2307) where the
memberUid is really the ui
The existing redundant "total" tokens removed log messages are working
fine, it seems.
** Changed in: keystone
Status: In Progress => Invalid
** Changed in: keystone
Assignee: Michael Tupitsyn (mikhail-tupitsyn) => (unassigned)
--
You received this bug notification because you are
Public bug reported:
Installed the latest devstack and you'll see a bunch of these in
key.log.
2015-06-03 12:50:42.200204 36393 INFO keystone.common.wsgi [-] GET
http://192.168.1.1:5000/v3/users/7efe8fbb83364bb1b5b3171467c8da9c/projects/users/7efe8fbb83364bb1b5b3171467c8da9c/projects/users/7efe8f
Public bug reported:
Steps to reproduce the error:
1. Install devstack
2. enable domain-specific driver feature
domain_specific_drivers_enabled=true
domain_config_dir=/etc/keystone/domains
3. create an domain-specific conf file in /etc/keystone/domains/. (i.e.
/etc/keystone/domai
Public bug reported:
With v3 cloud admin policy file, domain admin can assignment roles to
user for projects in his domain. However, he's unable to list those
assignment.
The expectation is that domain admin should be able to list role
assignments for projects in his own domain.
** Affects: keys
Public bug reported:
See
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py"https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L256-L261
In a multi-worker environment, the second role creation call could
result in conflict.
** Affects: keyst
Importance: Low
Assignee: Guang Yee (guang-yee)
Status: In Progress
** Changed in: keystone
Assignee: (unassigned) => Guang Yee (guang-yee)
** Changed in: keystone
Importance: Undecided => Low
--
You received this bug notification because you are a member of Yahoo!
KeyError' instead of 'exception.KeyError'
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L598
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L568
** Affects: keystone
Importance: High
Assignee: Guang Yee (guan
** Also affects: swift
Importance: Undecided
Status: New
** Changed in: swift
Assignee: (unassigned) => Guang Yee (guang-yee)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/b
** Also affects: trove
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1342274
Title:
auth_token middleware in keystoneclient
Public bug reported:
Currently all the v3 auth tests are calling self.post(), which
eventually going through v3_request()
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3.py#L353
that's always an admin request as auth token is required. But since V3
auth is an unprotected
Public bug reported:
User from an enabled domain can still get a token scoped to a project in
a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4.
Public bug reported:
Looks like we can create two different users with the same name in the
same domain. That should not be allowed.
gyee@gyee-VirtualBox:~/projects/openstack/keystone$ curl -s -H 'X-Auth-Token:
ADMIN' -H 'Content-Type: application/json' -d '{"domain": {"name":
"test-domain"}}'
Public bug reported:
2014-01-31 15:42:14.656 2631 WARNING keystone.common.wsgi [-] Invalid token in
_get_trust_id_for_request
2014-01-31 15:42:14.657 2631 WARNING keystone.common.wsgi [-] Authorization
failed. The request you have made requires authentication. from 127.0.0.1
Reason is we are d
50 matches
Mail list logo
