Public bug reported:
PCI DSS requires operators to analyze failed login attemps, for example,
to catch bruteforce or password stuffing attacks. To achieve that, allow
keystone to report details about the bad credentials used in the failed
authentication attempts.
** Affects: keystone
Public bug reported:
Steps to reproduce:
1. Create role R
2. Create an application credential with role R in it
3. Delete role R
4. Try to list the application credentials
Observed: list fails with 404: Role Not Found
Expected: not sure
I see the following potential behaviors:
1. The role can
Public bug reported:
In python 3.12 utcnow and utcfromtimestamp have been deprecated:
https://github.com/python/cpython/issues/103857 . Keystone uses them
extensively:
$ grep -ro "utcnow" . | wc -l | xargs echo "Total matches :"
Total matches : 195
$ grep -ro "utcfromtimestamp" . | wc
Public bug reported:
Some time ago https://review.opendev.org/c/openstack/keystone/+/834181
got merged. It exposed an issue: keystone does not catch many
exceptions. It leads to keystone logging every small event using
logging.exception() method, which prints a traceback and logs it with an
ERROR
Public bug reported:
Steps to reproduce:
1. You need a system with 2 scripts and a keystone user in sql, running in
parallel:
Script 1 performs many authentications with username+password
Script 2 deletes the user
2. With enough luck, you get the following backtrace:
2023-11-25
Public bug reported:
https://github.com/openstack/keystone/blob/fc9efc45b26d23a3b28ac0bc74da3f537dfda89b/keystone/conf/default.py#L124
- keystone is expected not to send out notifications that authentication
failed. However, there is a typo in the event name. Instead of
Public bug reported:
Listing domains via projects api (/v3/projects) using is_domain
parameter with domain-scoped token always returns an empty list.
Steps to reproduce:
1. Get a domain-scoped token
2. Make a call to /v3/projects?is_domain=true with the token
Expected:
Domains are listed
Public bug reported:
With complex structure of inherited roles and groups listing projects
and domains a user has access to becomes very slow. Some users are
complaining that it takes a minute to get their list of roles.
Some time ago a similar bug has been fixed in
Public bug reported:
As domain admin, i would like to list role assignments on projects of my
domain. The default v3 policies are:
"admin_on_domain_filter": "rule:admin_required and
domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and
Public bug reported:
Exception LDAPServerConnectionError
(https://git.openstack.org/cgit/openstack/keystone/tree/keystone/exception.py?h=12.0.0.0b1#n597)
is now implemented as a subclass of Error. It gives out too much info
about setup (that LDAP is used) and it should not set its error code.
We are now giving error code 500, and this is the correct code. 504 is
Gateway Timeout, means that one server did not receive a timely response
from another server. There is a timely response, and the response says
that the server is mis configured.
> but the error in the logs leaks information
You should fix your keystone.conf. If you set incorrect password for
database, or incorrect name for an identity backend, or incorrect value
to any other option, nothing is going to work too. I think it is fine
that it fails this way.
** Changed in: keystone
Status: New => Invalid
--
You
Public bug reported:
Devstack master, Horizon b327515.
User with role "Member" trying to create a port for network "public",
getting error: http://paste.openstack.org/show/600791/ . The first line
in pastebin is output of print(network.subnets), which i added to find
out what's going on.
**
** This bug is no longer a duplicate of bug 1642687
Missing domain for federated users
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1600366
Title:
Federated
** Also affects: python-keystoneclient
Importance: Undecided
Status: New
** No longer affects: keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
** Also affects: python-openstackclient
Importance: Undecided
Status: New
** No longer affects: keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
I think that this is expected. When --domain Default is passed,
openstackclient doesn't know what "Default" is -- id or name. So it
tries to fetch domain with id Default, and when fails, then tries to
fetch domain by name. This is definitely not keystone bug, and i think
that it is not a bug in
I think the problem is in python-openstackclient
** Also affects: python-openstackclient
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
** Also affects: keystonemiddleware
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1652929
Title:
keystone token warning flood
Status in
This is not a duplicate, the retrying code should be added to the
identity driver
** Changed in: keystone
Status: Invalid => Confirmed
** Changed in: keystone
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team,
Oh right, this one is indeed invalid.
** Changed in: keystone
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1645607
Title:
Actually i can confirm it.
** Changed in: keystone
Status: Invalid => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1645607
Title:
Keystone cannot run it by itself, you need to use apache to run it.
Probably, when you launch apache, it launches keystone and that's why
the port is already in use.
Don't try running service "keystone" and you will be good.
** Changed in: keystone
Status: New => Invalid
--
You received
Sorry, but the bug is invalid. The migrations should not run for unit
tests. The tables get created from scratch for every test:
keystone/common/sql/contract_repo/versions/002_password_created_at_not_nullable.py
.
** Changed in: keystone
Status: Confirmed => Invalid
--
You received this
Public bug reported:
On current master (6a93e9b) most of unit tests do not run on new schema.
For example, for test
keystone.tests.unit.assignment.role_backends.test_sql.SqlRole.test_role_crud
migration contract_repo/versions/002_password_created_at_not_nullable.py
never gets applied.
Keystone
Public bug reported:
Steps to reproduce:
1. dpkg-reconfigure tzdata and select there Europe/Moscow (UTC+3).
2. Restart mysql
3. Configure opportunistic tests with the following command in mysql:
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest' @'%' identified by
'openstack_citest' WITH GRANT
We now have mysql and postgresql jobs that check migrations
** Changed in: keystone
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
** Project changed: keystone => nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1608015
Title:
When I use curl command to send requets, why the OS_TENANT_NAME must
** Also affects: python-keystoneclient
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1607751
Title:
Schema for
Public bug reported:
Patch https://review.openstack.org/#/c/344057/ introduced schema
validation for enabling a user. In the schema, it forbid passing any
parameters other than "enabled". It causes failures to at least rally:
http://logs.openstack.org/88/348788/1/check/gate-rally-dsvm-keystone-
Public bug reported:
In parameters.yaml there are many entries with suffixes "_{number}" in
the end. For example:
$ grep name_ api-ref/source/v3/parameters.yaml
name_10:
name_13:
name_14:
name_16:
name_1:
name_11:
name_12:
name_15:
name_17:
name_18:
name_19:
name_2:
name_3:
name_4:
name_5:
I am adding keystone because it has some logic for cache invalidation
across projects. Also, we ran into this issue originally on keystone.
The code on
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/cache/core.py#L71
is supposed to proxy calls to cache invalidation.
Public bug reported:
If username changes in identity provider, shadow user's display_name is
not updated.
** Affects: keystone
Importance: Undecided
Assignee: Ron De Rose (ronald-de-rose)
Status: New
--
You received this bug notification because you are a member of Yahoo!
-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi f =
getattr(self.driver, name)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi AttributeError:
'Identity' object has no attribute 'update_federated_user_display_name'
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi
** Af
please disregard this, I forgot to `pip install -e .`
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1551751
Public bug reported:
I am getting this exception on any request:
http://paste.openstack.org/show/488752/
My config hasn't [shadow_users]driver parameter yet. Maybe there should
be a sane default?
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug
*** This bug is a duplicate of bug 1526976 ***
https://bugs.launchpad.net/bugs/1526976
** This bug is no longer a duplicate of bug 1474942
Missing either X-Auth-Token or X-Subject-Token in fernet token gives HTTP
500 code.
** This bug has been marked a duplicate of bug 1526976
Any
If the bug is in the auth plugin, keystoneauth is affected too
** Also affects: keystoneauth
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
I agree with the above. You are supposed to put all the servers you have
to [cache]memcache_servers, comma-separated
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
Given Dolph's commen I'm marking this bug as invalid. Feel free to
reopen if you still think there is a bug.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
I'm marking this as invalid for keystone since it affects all components
that use oslo_config.
** Changed in: keystone
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
`keystone` CLI doesn't work with v3. You need to either use v2 or use
python-openstackclient (`openstack` CLI).
** Changed in: keystone
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
** Changed in: keystone
Assignee: (unassigned) = Boris Bobrov (bbobrov)
** No longer affects: mos
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1483212
Title:
can't authenticate
This is by design and there is a unit-test that checks that
(test_v3_identity.py, test_list_users_with_multiple_backends). The
controller requires a domain to be specified either as a filter or by
using a domain scoped token. In your case you need to provide a domain
via --domain parameter of
This is because of oslo_config's option value interpolation:
http://docs.openstack.org/developer/oslo.config/cfg.html#option-value-interpolation
This can be overriden by using $$ instead of $, but it would be great to
mark some options as not using the interpolation.
** Also affects: oslo.config
``keystone'' cli is deprecated, you should use ``openstack'' cli --
http://docs.openstack.org/developer/python-openstackclient/.
** Project changed: keystone = python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
``keystone'' cli is deprecated, you should use ``openstack'' cli --
http://docs.openstack.org/developer/python-openstackclient/.
** Project changed: keystone = python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
1. ``keystone'' cli is deprecated, you should use ``openstack'' cli --
http://docs.openstack.org/developer/python-openstackclient/.
2. This is a long-standing issue of project vs tenant. In v3 there is
``project'' everywhere, in v2 there is ``tenant''. ``keystone'' cli uses only
v2 api, thus
``keystone'' cli is deprecated, you should use ``openstack'' cli --
http://docs.openstack.org/developer/python-openstackclient/.
** Project changed: keystone = python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Public bug reported:
Traceback (most recent call last):
File keystone/tests/test_v3_identity.py, line 1223, in
test_token_revoked_once_group_role_grant_revoked
expected_status=404)
File keystone/tests/test_v3.py, line 476, in head
r = self.v3_request(method='HEAD', path=path,
Public bug reported:
Keystone becomes extremely slow if one of memcached servers, used as
token persistence driver, stops working. This happens because Keystone
re-initializes memcache client on every call and memcache client loses
information about dead servers and time until they are dead.
To
Public bug reported:
Snippet http://paste.openstack.org/show/193500/ results in
keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The
request you have made requires authentication. (Disable debug mode to
suppress these details.) (HTTP 401)
There should be another error message:
Public bug reported:
AuthContextMiddleware validates token and converts it to auth_context.
The info fetched can be reused in several places, for example in
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L677
. A good list to start searching places for refactoring
Public bug reported:
[DEFAULT]admin_token = ADMIN
curl -k -H X-Auth-Token:ADMIN http://localhost:35357/v3/auth/tokens |
python -mjson.tool
http://paste.openstack.org/show/192079/
rev 55d940c70be405e6dcf48eaa4aed0c2d766aadeb
** Affects: keystone
Importance: Undecided
Status: New
Public bug reported:
creater_user.json:
{
user: {
enabled: true,
name: breton,
password: 123123
}
}
[DEFAULT]admin_token = ADMIN
$ curl -k -H X-Auth-Token:ADMIN -H Content-type: application/json -d
@create_user.json http://localhost:35357/v3/users | python
Setting to invalid because the patch is abandoned and because of
comments in it.
** Changed in: keystone
Status: In Progress = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
Public bug reported:
TypeError: must be type, not classobj is raised if memcache_pool is used
as cache backend with Apache.
** Affects: keystone
Importance: Undecided
Assignee: Boris Bobrov (bbobrov)
Status: In Progress
** Changed in: keystone
Assignee: (unassigned
Keystone doesn't support py26 any more, so it is acceptable
** Changed in: keystone
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1413538
Title:
Public bug reported:
One of the tests fail on non-sqlite databases:
http://paste.openstack.org/show/156457/
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
Public bug reported:
bug #1405673 was one of them. bug #1406314 contains a list of migrations
tests, which should be fixed.
** Affects: keystone
Importance: Undecided
Assignee: Boris Bobrov (bbobrov)
Status: New
** Changed in: keystone
Assignee: (unassigned) = Boris
Public bug reported:
Section Preparing your deployment of configuration.rst suggests
configuration in [sql] section, which is not used any more.
** Affects: keystone
Importance: Undecided
Status: New
** Tags: documentation
--
You received this bug notification because you are a
61 matches
Mail list logo