[Yahoo-eng-team] [Bug 1652012] [NEW] token model assumes a token is is_admin_project

Public bug reported: Our token model code will return a default of True for is_admin_project if that attribute is not defined. The comment next to this says this is for backward compatibility - but this seems inherently dangerous. We should investigate what changes are needed (if any) to make the

[Yahoo-eng-team] [Bug 1651989] [NEW] domain admin token will be treated as cloud admin

Public bug reported: The new capability of is_admin_project is currently only supported for projects. However, the existing code for token models will return is_admin_project as True if the attribute has not been set. Hence admin domain tokens might get interpreted as cloud admin tokens. This is

[Yahoo-eng-team] [Bug 1640483] Re: list of inherited role assignments to a project hierarchy does not contain the assignee/root project for users

This appears to be working as designed. Inherited assignments are only applied to the children of the anchor point. Hence there are no effective assignments on P. ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1615698] [NEW] developing.rst needs to be updated for new rolling upgrade approach

Public bug reported: The existing developing.rst references the standard rolling upgrade approach where contract can't remove anything until X+2 etc. This needs to be updated for the new approach we have now merged. ** Affects: keystone Importance: Undecided Assignee: Henry Nash (henry

[Yahoo-eng-team] [Bug 1604479] Re: tenantId/default_project_id missing on Keystone service user in Mitaka

Hi I think the puppet change is the right thing, I don't think there will be much support for changing the keystone design here. ** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1607114] [NEW] List role assignments doesn't include domain of role

Public bug reported: The list role assignment will return the names (and domain names) of each party in an assignment if the the "include_names" query parameter is included. However, this is not true for roles, which would be useful for domain specific roles. ** Affects: keystone

[Yahoo-eng-team] [Bug 1596500] [NEW] Passwords created_at attribute could remain unset during rolling upgrade

Public bug reported: Migrate 105 (in Newton) adds the password created_at attribute, and defaults it to now(). However, this is not a server default, rather it is a "write to all existing rows" at the time the DB is migrated. The following rolling upgrade sequence will cause this to remain unset:

[Yahoo-eng-team] [Bug 1583142] Re: Roles inheritance for groups is not visible in user's role assignments

This bug is invalid, since: 1) Inheritance is only applied to children of the node that carries the actual inherited assignment 2) Effective assignments only show the result of all group & inherited assignments, as well as valid non-inedited direct user assignments - but do not include the

[Yahoo-eng-team] [Bug 1586289] Re: openstack project list can not list the project which is domain.

IP address of your keystone server. Alternatively, you can use the python-keystoneclient library to write a little python example. ** Also affects: python-openstackclient Importance: Undecided Status: New ** Changed in: python-openstackclient Assignee: (unassigned) => Henry Nas

[Yahoo-eng-team] [Bug 1583948] Re: getting whole user-roles in domain or project in V3

This is not a bug, it is working as designed. The list grants API only lists explicit grants. If you want to see "effective" grants, you should use he List Assignments API. ** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a

[Yahoo-eng-team] [Bug 1569814] [NEW] Incorrect deprecation warning for IdentityDriverV8

Public bug reported: Commit ad7a7bd6ee36a7af61f88d98038d83aba25a9743 (https://review.openstack.org/#/c/296140/) moved driver interfaces for core Identity into their own module (base.py in the backend directory). For compatibility it included a class definition of IdentityDriverV8 in the original

[Yahoo-eng-team] [Bug 1558350] Re: No rest api for /v3/projects/{projectId}/users

So the v2 API is really a hang over from when creating a user with a default project automatically granted you a role on that project, leading to the concept of "user for a project". In v3 such an automatic assignment does not occur, and in v3 we focus much more on the direct assignments (i.e.

[Yahoo-eng-team] [Bug 1546039] [NEW] If one trustor role is removed, the trust cannot be used

Public bug reported: If a trust is created with a list of roles, when the trust is used by the trustee to obtain a token, we first make sure that the trustor still has all the delegated roles. However, the way the code is written, if any have been removed, we immediately fail the token creation,

[Yahoo-eng-team] [Bug 1539140] [NEW] Current logging in Keystone does not enable operators to determine what is happening

Public bug reported: Our current logging is meant to provide different levels so that operators can enable a suitable level (e.g. INFO) without going full DEBUG (which operators consider potentially risky). INFO doesn't, however, give you anything consistent. ** Affects: keystone

[Yahoo-eng-team] [Bug 1535878] [NEW] A role with a role on a project should be able to issue a GET /project call

Public bug reported: Currently, we require project admin or "higher" in order to issue a GET /project call. This seems overly restrictive, since if you have a role on a project, I would think you should be able to issue GET /project. Further, there are cases (such as other projects wanting work

[Yahoo-eng-team] [Bug 1533346] [NEW] federation create_mapping signature and V9 wrapper incorrect

. The legacy testing did not cover all the CRUD tests, which is why this was not discovered when the V9 driver was created. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: In Progress ** Changed in: keystone Importance: Undecided => High ** Chan

[Yahoo-eng-team] [Bug 1443912] Re: Non-translation-friendly formatting of msg string

Due to the fact that we use the msg both for a log and an exception, I think this code is OK ** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity

[Yahoo-eng-team] [Bug 1522433] [NEW] API Version info incorrect for Liberty

Public bug reported: Our API allows you to query keystone for the version that is supports (e.g. V2 and v3), as well as the minor version we support (e.g. 3.4) as well as other status of the API. Looks like this was not updated for the Liberty release: versions['v3'] = {

[Yahoo-eng-team] [Bug 1517038] [NEW] API-based Domain config method could temporarily show partial update

ial update. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Assignee: (unassigned) => Henry Nash (henry-nash) ** Changed in: keystone Importance: Undecided => High -- You received this bug notifica

[Yahoo-eng-team] [Bug 1517037] [NEW] API-based Domain specific config does not check for type of option

in the field. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Assignee: (unassigned) => Henry Nash (henry-nash) ** Changed in: keystone Importance: Undecided => Medium -- You received this bug notification b

[Yahoo-eng-team] [Bug 1516226] [NEW] Keystone V2 User API can access users outside of the default domain

Public bug reported: The Keystone V2 API is not mean to be able to "see" any user, groups or projects outside of the default domain. APIs that list these entities are careful to filter out any that are in non-default-domains. However, if you know your entity ID we don't prevent you from doing

[Yahoo-eng-team] [Bug 1484577] Re: OS-INHERIT does not seem to work for users but works for groups

*** This bug is a duplicate of bug 1403539 *** https://bugs.launchpad.net/bugs/1403539 I'm closing this defect, since it is essentially a duplicate of https://bugs.launchpad.net/keystone/+bug/1403539. Please re-open if you think there is a distinct defect here. ** This bug has been marked a

[Yahoo-eng-team] [Bug 1502157] [NEW] Updating a project's domain_id can create an illegal project hierarchy

Public bug reported: We introduced hierarchical projects in Kilo. The design (both then and now) was that a project hierarchy existed in a single domain (i.e. all the projects in the hierarchy were owned by the same domain). We also still support (although disabled by default) the ability to

[Yahoo-eng-team] [Bug 1493126] Re: openstack group create fails while using admin token

I do not consider this a bug. We state that you must either explicitly supply the domain_id of a group in the entity passed to the create call OR use a domain scoped token. Since the ADMIN token is not a domain scoped token, you must provide it in the entity itself (which, to be honest, should

[Yahoo-eng-team] [Bug 1482330] [NEW] Creating a user/group/project without a domain should raise an exception

deprecation warning if we detect this situation for a cycle? ** Affects: keystone Importance: Undecided Assignee: Henry Nash (henry-nash) Status: In Progress ** Summary changed: - Creating a user/group without a domain should raise an exception + Creating a user/group/project

[Yahoo-eng-team] [Bug 1481145] Re: Keystone could create domain when Identity driver is LDAP and Resource driver is SQL

So this is by design.Iif you are using LDAP for Identity and want to use multiple domain, then you need to enable domain specific drivers in Identity. This is done using the identity config domain_specific_drivers_enabled option. However, I'd recommend you read the keystone confirguration.rst

[Yahoo-eng-team] [Bug 1476964] Re: keystone/backends.py two lines should be deleted

I don't think you want to do that for two reasons: 1) It is confusing 2) The keys in DRIVER dict are used by code to actually call the managers, so you have just broken all the identity and assignment calls. ** Changed in: keystone Status: New = Invalid -- You received this bug

[Yahoo-eng-team] [Bug 1466772] [NEW] File based domain config checks contain unused code

Importance: Low Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1466772 Title: File based domain config checks contain unused code

[Yahoo-eng-team] [Bug 1443912] [NEW] Non-translation-friendly formatting of msg string

': user_id, 't_id': tenant_id} LOG.warning(msg) raise exception.Unauthorized(msg) ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo

[Yahoo-eng-team] [Bug 1440107] [NEW] Clearing up project assignments makes assumptions that domain_id != project_id

the type of the assignment in the delete (e.g. USER_PROJECT or GROUP_PROJECT). ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed

[Yahoo-eng-team] [Bug 1440135] [NEW] Cleaning up user/group assignments makes incorrect assumption that user_id != group_id

technically one should also specify the type of the assignment in the delete (e.g. USER_PROJECT/USER_DOMAIN and USER_PROJECT/GROUP_PROJECT). ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1438529] [NEW] Assignment manager uses .driver. unnecessarily in many places

Public bug reported: There are many cases in the assignment manager where it uses .driver. to call unique methods in the driver - which is not required, since we already have these methods patched into the class. ** Affects: keystone Importance: Wishlist Assignee: Henry Nash (henry

[Yahoo-eng-team] [Bug 1438617] [NEW] Domain config management is not thread-safe

time. Domain configuration management are relatively infrequent operations, but someone, somewhere will fall into this hole. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1438827] [NEW] Lazy loading of domain configs can lead to issues

Public bug reported: This lazy loading was created to avoid a circular dependancy between identity and assignment. However it has a number of issues: (Extracted from Bug #1410850) First - if someone will call .setup_domain_drivers(...) multiple times(perhaps we should add self.create() in this

[Yahoo-eng-team] [Bug 1438517] [NEW] Identity driver clean-up methods have confusing names

are misnamed: delete_group() delete_user() These should, for clarity, be called: delete_group_assignments() delete_user_assignments() This is already flagged by a TODO comment in the driver class in the identity manager. ** Affects: keystone Importance: Wishlist Assignee: Henry Nash

[Yahoo-eng-team] [Bug 1435693] [NEW] A number of places where we LOG messages fail to use the _L{X} formatting

Public bug reported: These should be corrected. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https

[Yahoo-eng-team] [Bug 1435315] Re: get_v3_catalog is in the driver section of catalog/core - it should be in the manger

Ah, no, it is using this to get an override in the case of sql. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1435315 Title:

[Yahoo-eng-team] [Bug 1435310] Re: sql backend get_v3_catalog is never used

Ah, now I get what is going on - it is overriding the default one in the Driver class... ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1435310] [NEW] sql backend get_v3_catalog is never used

Public bug reported: The v3 catalog is created from the v2 catalog in the catolog manager/driver, and the sql backend get_v3_catalog method is therefore never called - and should be removed. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New

[Yahoo-eng-team] [Bug 1435312] [NEW] v2 and v3 get catalog pass unused metadata parameter

Public bug reported: Both the v2 and v3 get catalog calls take an optional parameter called 'metadata' - but this is never used. It should be removed. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification

[Yahoo-eng-team] [Bug 1435315] [NEW] get_v3_catalog is in the driver section of catalog/core - it should be in the manger

: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1435315 Title: get_v3_catalog is in the driver section of catalog/core - it should

[Yahoo-eng-team] [Bug 1431015] Re: v3/users or groups calls not working without domain_id

You need to be using a domain scoped token for the keystone to pick up the domain from the token...it looks like the token you are using is an unscoped token ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering

[Yahoo-eng-team] [Bug 1429723] Re: Column role_id of table assignment should be properly referenced with table role

No, we explicitly drop this constraint in the 062 migration. The reason is that roles are stored in a different backend to the assignment table - and it isn't safe to have FK relationships across backends. ** Changed in: keystone Status: In Progress = Invalid -- You received this bug

[Yahoo-eng-team] [Bug 1429556] [NEW] Identity API for domain-config should define separate resources for group/option

to by JSON Home. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: In Progress ** Description changed: The API spec for domain-config contains the resource relationship for the full domain-config, however since it is possible to manipulate

[Yahoo-eng-team] [Bug 1428600] [NEW] Domain Config updates for specific group/option don't honor NotFound

: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Description changed: The manager API for domain-config database updates should raise a DomainConfigNotFound exception if an explicit group or option as been - specified in the url (i.e. passed

[Yahoo-eng-team] [Bug 1427437] [NEW] LDAP debug logging during unit tests brings us close to causing jenkins to fail our tests

logging. We should switch off ldap debug logging for our unit tests. ** Affects: keystone Importance: Critical Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed

[Yahoo-eng-team] [Bug 1426448] [NEW] Identity API spec for creating domain-config should be PUT not POST

Importance: High Assignee: Henry Nash (henry-nash) Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1426448 Title: Identity API spec for creating

[Yahoo-eng-team] [Bug 1426310] [NEW] The identity API spec includes examples of the email attribute

: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1426310 Title: The identity API spec includes examples of the email attribute Status

[Yahoo-eng-team] [Bug 1424698] [NEW] Backend fIlter testing could be more comprehensive

Public bug reported: The current filter testing for backends covers some of the filtering combinations (such as startswith) . but not all of them. These should be expanded to provide better coverage (especially as filtering is now supported by SQL and Ldap backends). ** Affects: keystone

[Yahoo-eng-team] [Bug 1422994] [NEW] Backend role tests have duplicate test for get_role

to the new backend unit framework - and this duplication should be removed. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: In Progress ** Tags: test-improvement -- You received this bug notification because you are a member of Yahoo! Engineering Team

[Yahoo-eng-team] [Bug 1418956] [NEW] Test utilities assume use of assignment api

be to allow the disabling of all existing assignments tests, a simple thing we can do to let out-of-tree experimentation to at least use our test fixtures/utils is not to error out if the assignment APIs return NotImplemented. ** Affects: keystone Importance: Wishlist Assignee: Henry Nash (henry

[Yahoo-eng-team] [Bug 1417451] [NEW] SQL User Group entities still have FK to domain

in resource. This stops proper decoupling between our components (and, for instance, makes it harder to handle domain deletion via notification). We should drop the domain_id FK constraint on User Group entities. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash

[Yahoo-eng-team] [Bug 1415959] [NEW] Role cache details are actually using the assignment values

: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1415959 Title: Role cache details are actually using the assignment values Status in OpenStack

[Yahoo-eng-team] [Bug 1415268] [NEW] Testing of backend list_role_assignments needs to be improved

AND will be rewriting many of the other assignment listing methods to simply call list_role_assignments. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: In Progress ** Tags: test-improvement -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1415169] [NEW] We don't make the dependency clear between identity and resource/assignment LDAP

Public bug reported: If we are using LDAP for Resource/Assignment, our code requires that you are using it for Identity. We only hint at this in our code comments, for instance in https://review.openstack.org/#/c/144824/16/keystone/resource/backends/ldap.py where we say: # This is the only deep

[Yahoo-eng-team] [Bug 1414909] [NEW] In some tests, calls to role_api still go via assignment_api

, self.role_member['id']) where we should really be passing self.role_api as opposed to self.assignment_api in as a parameter. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Importance

[Yahoo-eng-team] [Bug 1413276] [NEW] Filtering (and limiting) list domains is not tested

Public bug reported: We test the filtering and limiting of lists in test_backend.py - and do this for projects, users and groups: class LimitTests(filtering.FilterTests): ENTITIES = ['user', 'group', 'project'] We don't do this for domain, since this would have problems with LDAP. We should

[Yahoo-eng-team] [Bug 1412447] [NEW] SQL identity driver does't support backend filtering on membership queries

Public bug reported: The SQL identity driver leaves filtering on list_users_in_group and list_groups_for_user to the controller. This is probably a reasonable assumption - although the LDAP driver now does support at least filtering on list_groups_for_user (this is included in

[Yahoo-eng-team] [Bug 1411478] [NEW] Any attribute that is equal to 'TRUE' or 'FALSE' is treated as boolean by LDAP drivers

Public bug reported: Our core LDAP driver makes a dangerous assumption that any attribute that is equal to the string 'TRUE' or 'FALSE' must be a boolean and will covert the value accordingly. For instance the following test: def test_hn1(self): ref = { 'name': 'TRUE',

[Yahoo-eng-team] [Bug 1410748] [NEW] Incorrectly named test in backend FilterTests

Public bug reported: test_list_users_filtered() in FilterTests in test_backend is incorrectly named, since it actually tests uses, groups and projects. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Tags: test-improvement -- You

[Yahoo-eng-team] [Bug 1410750] [NEW] test_backend has an sql specific test in it

: Henry Nash (henry-nash) Status: New ** Tags: test-improvement -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1410750 Title: test_backend has an sql specific test

[Yahoo-eng-team] [Bug 1410029] [NEW] Unnecessary conflict wrapper on assignment driver delete_project() method

. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Importance: Undecided = Low ** Changed in: keystone Assignee: (unassigned) = Henry Nash (henry-nash) -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1407540] [NEW] Identity driver has unused pointer to assignment

Public bug reported: During the setup of the identity driver in identity/core, it stores a reference to the assignment_api in the driveralthough this is never used. This should be removed. ** Affects: keystone Importance: Wishlist Assignee: Henry Nash (henry-nash) Status

[Yahoo-eng-team] [Bug 1407342] [NEW] Incorrect comment about circular dependency in assignment manager

of the config options for which driver is used, I don't believe there is a circular dependency. The comment should be corrected and be in the init() method itself. ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Description changed: The assignment

[Yahoo-eng-team] [Bug 1406721] [NEW] RoleNotFound exception not tested for grant APIs

: Wishlist Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1406721 Title: RoleNotFound exception not tested for grant APIs Status

[Yahoo-eng-team] [Bug 1406826] [NEW] master keystone.conf sample is out of sync

Public bug reported: Looks like an update to keystone.common.policy has not been reflected in our keystone.conf sample, leading to this change being included in other commits. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: In Progress -- You

[Yahoo-eng-team] [Bug 1404273] [NEW] ldap assignment driver does not support inherited assignments

Public bug reported: The ldap assignment driver really has no support for inherited role assignments. This was not so bad when we just had domain-project inheritance (since the ldap backend doesn't support domains anyway!), but now that we have project-project inheritance, the ldap backend is

[Yahoo-eng-team] [Bug 1404276] [NEW] /auth/projects can include duplicates when using ldap

Public bug reported: The /auth/projects API lists the projects a user has access to (i.e. has any role on). This is sourced from the ldap assignment backed, which (unlike the case for SQL) does not remove duplicate projects from the list. ** Affects: keystone Importance: Undecided

[Yahoo-eng-team] [Bug 1404276] Re: /auth/projects can include duplicates when using ldap

This was due to a different side effect, not related what was described. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1404276

[Yahoo-eng-team] [Bug 1398470] [NEW] sql migration helpers incorrectly inspect for FKs

a columns attribute). The check should first ensure the item we are looking at IS a ForeignKey, and then check the column. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Assignee: (unassigned) = Henry Nash (henry-nash

[Yahoo-eng-team] [Bug 1393365] [NEW] cross-manager use of config values for backward compatibility should have deprecation warnings

Public bug reported: There are a few cases where, for backward compatibility, we honor older config values to ensure that installations don't break on upgrade between releases. A good example of this is the 'driver' config setting from when we split up the original identity manager/backend - as

[Yahoo-eng-team] [Bug 1391682] [NEW] Parameter validation for projects crud should not happen in drivers

Public bug reported: Currently the assignment sql ldap drivers to name cleansing on the project name - this should really be done in the manager to avoid this duplication. ** Affects: keystone Importance: Low Status: New ** Changed in: keystone Importance: Undecided = Low --

[Yahoo-eng-team] [Bug 1390640] [NEW] /auth/domains incorrectly includes domains with only user inherited roles

domains for which the user has no effective role (a domain inherited role ONLY applies to the projects within that domain, not to the domain itself). ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Importance

[Yahoo-eng-team] [Bug 1390125] [NEW] Federation tokens can't be handled if assignment backend is LDAP

Public bug reported: The LDAP assignment backend is missing some of the methods used by auth to handle federation tokens, for instance, at least get_roles_for_groups(). ** Affects: keystone Importance: Undecided Status: New ** Description changed: - The LDAP assignment backend is

[Yahoo-eng-team] [Bug 1389623] [NEW] Duplicate code in test_v3_federation

._scope_request( self.tokens['CUSTOMER_ASSERTION'], 'domain', self.domainB['id'] The second statement is a duplicate of the first (formatting aside). ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone

[Yahoo-eng-team] [Bug 1389752] [NEW] Project tokens issued from a saml2 auth are missing inherited group roles

roles can end up in the resulting Keystone token. The implication is that project scoped tokens would not get any group roles that should be inherited from the domain. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone

[Yahoo-eng-team] [Bug 1386264] [NEW] /auth/domains does not necessarily return a distinct list

on their effective assignments, we try and make sure we return a distinct list. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Importance: Undecided = Medium -- You received this bug notification because you are a member

[Yahoo-eng-team] [Bug 1385643] [NEW] /auth/domains incorrectly includes domains with only inherited roles

domains for which the user has no effective role (a domain inherited role ONLY applies to the projects within that domain, not to the domain itself). ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New ** Summary changed: - /auth/domains

[Yahoo-eng-team] [Bug 1385694] [NEW] /auth/projects fails to include any projects that have inherited group roles

to projects - hence failing to include these projects in the list. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https

[Yahoo-eng-team] [Bug 1385533] [NEW] Tokens issued from a saml2 auth ignore inheritance of group roles

Public bug reported: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the

[Yahoo-eng-team] [Bug 1197211] Re: v3 Identity tests do not pass if content type is XML

Yep, agreed - I had already told Tahmina to stop work on it. Marking as Won't Fix. ** Changed in: keystone Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1377840] Re: Keystone LDAP delete user - you are not authorized to perform the requested action

Well, with the identity driver set to LDAP there are no user records in Kyetsone - the LDAP driver basically retrieves the user list from the LDAP server directly. So there are no users to remove without touching LDAP. As the error message says - you need to go to your LDAP server to manage user

[Yahoo-eng-team] [Bug 1375937] [NEW] Downgrade of federation extension can fail due to FKs

Public bug reported: In the 001 migration script of federation, we delete the tables in the wrong order - we should delete the federation_protocol table first, otherwise its FKs to the identity provider cause a problem ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry

[Yahoo-eng-team] [Bug 1373865] [NEW] Refactor domain usage in test_backend

Public bug reported: The way test_backend uses domains leads to either many of the tests being over overridden in test_backend_ldap, or just skipped (leading to a risk that we are not sufficiently testing certain functionality - see bug 1373113 as an example). There is already a construct for

[Yahoo-eng-team] [Bug 1372287] [NEW] Spelling error in keystone/common/utils.py

Public bug reported: The make_dirs() method in the utils.py file has a spelling error in the doc string comments, namely: Assure the directory exists and optionally set it's ownership and permissions. It's should be its ** Affects: keystone Importance: Low Assignee: TAHMINA

[Yahoo-eng-team] [Bug 1371499] [NEW] Spelling erros in comments in test_backend_ldap.py

Public bug reported: Some minor spelling mistakes could use correcting, namely: # Domain3 has a user created before we switched on # multiple backends, plus one created afterwards - and it's # backend has not changed - so we should fined two. Two mistakes in the same

[Yahoo-eng-team] [Bug 1369180] [NEW] keystone logs for unit tests are too verbose

notification. This seems overzealous and wasteful of electrons. We should set the default notification log level to INFO in the tests/core.py to suppress this. ** Affects: keystone Importance: Medium Assignee: Henry Nash (henry-nash) Status: New ** Description changed

[Yahoo-eng-team] [Bug 1362678] Re: multi-domain has problems with LDAP identity on default domain

no problem...that's good to hear. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1362678 Title: multi-domain has problems with

[Yahoo-eng-team] [Bug 1363750] [NEW] Fix the minor comments made during revue of endpoint policy

Public bug reported: There were some minor comments made in the version of the endpoint policy extension that was merged: https://review.openstack.org/#/c/115362/15 This should be tidied up. ** Affects: keystone Importance: Undecided Status: New -- You received this bug

[Yahoo-eng-team] [Bug 1363019] [NEW] test_versions.py is currently breaking pep8 in master

Public bug reported: Somehow a set of bad aligned '}' has got into master in test_versions.py, which is causing every patch to fail. This fixes it. ** Affects: keystone Importance: Critical Assignee: Henry Nash (henry-nash) Status: In Progress ** Changed in: keystone

[Yahoo-eng-team] [Bug 1363047] [NEW] test_sql_upgrade and live_test not working for non-sqllite DBs

Public bug reported: It appears that our sql upgrade unit tests are broken for DBs that properly support FKs (teardown fails due to FK constraints). I suspect this is because we no longer have the downgrade steps below 034 (since they were squashed). ** Affects: keystone Importance: High

[Yahoo-eng-team] [Bug 1362557] [NEW] Performance of list_projects_for_user impacting keystone

Public bug reported: The assignment call list_projects_for_user() is commonly used - not least every time you issue a scoped token. Ina test configuration, this method was consuming 36% of all keystone clock time. This call searches the assignments table (which has one row for every assignment)

[Yahoo-eng-team] [Bug 1359608] [NEW] Abstract driver signatures for update catalog entities are wrong

Public bug reported: In catalog/core.py, the abstract signature for a number of the update methods are incorrect and don't match what is actually implemented in the driver ** Affects: keystone Importance: Low Assignee: Henry Nash (henry-nash) Status: New ** Changed

[Yahoo-eng-team] [Bug 1354408] [NEW] Role list in tokens does not match identity-api spec

Public bug reported: According to the identity-api specification the list or roles in a scoped token is of the form: roles: [ { id: 76e72a, links: { self: http://identity:35357/v3/roles/76e72a;

[Yahoo-eng-team] [Bug 1354417] [NEW] new_role_ref() in unit tests adds unused attributes

Public bug reported: new_role_ref() simple calls new_ref() which adds creates an entity with 'id', 'name', 'description' and 'enabled'. Roles should only have 'id' and 'name'. ** Affects: keystone Importance: Wishlist Status: New ** Changed in: keystone Importance: Undecided =

[Yahoo-eng-team] [Bug 1350593] [NEW] Some assertValidListResponse methods incorrectly handle 'description'

Public bug reported: 'description' is usually an optional attribute in Entities (e.g. Users, Groups etc.). When testing the List methods of such entities, an assert helper method is often used, e.g. assertvalidUserListReponse(). Such assert will call asserValidEntityResponse, which in turn will

[Yahoo-eng-team] [Bug 1340802] [NEW] test_cache_layer_domain_crud is currently skipped in test_backend_ldap

Public bug reported: We should eventually be able to unskip this by either rewriting the test or provide proper support in LDAP ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which

[Yahoo-eng-team] [Bug 1340815] [NEW] Multi-backend domain code/tests could use a bit of tidy up

Public bug reported: The multi-domain backend code has a number of tidy-up items that were deferred from the review: - Re-factoring _set_domain_id_and_mapping() in identity/core.py - Potential relaxation of the constraint that user/group membership cannot cross a backend boundary - Corner case

[Yahoo-eng-team] [Bug 1339232] [NEW] Debug logs for unit tests appear to contain some corrupted characters

Public bug reported: When running our unit tests as part of jenkins the output file are merged into one output file using subunit. The resulting files appear to contain corrupted characters, e.g.: From a jenkins test: ³+@žS¹_.Ô-

[Yahoo-eng-team] [Bug 1291393] [NEW] domain_id in User/Group/Project should be immutable

allow a cloud provider to disable this current update ability…and make the domain_id attribute immutable in the same way we do for the id of the entity. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New -- You received this bug notification

  1   2   >