Per the reasons commented by Anishka, marking this as won't fix.
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
Public bug reported:
We should not have dependencies like foreign keys between subsystems in
keystone - they might be handled by separate backends!
As an example, we currently have a foreign keys between the
federated_user table and protocol and idp tables [1]. We should drop
this foreign keys
://docs.openstack.org/developer/keystone/devref/development_best_practices.html
#testing-keystone
** Affects: keystone
Importance: Wishlist
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: Confirmed
** Tags: documentation
--
You received this bug notification because you are a member
Public bug reported:
The Implied Roles check API (HEAD /v3/roles//implies/)
returns 200 in Ubuntu Trusty and 204 in Ubuntu Xenial, check the jobs
results at [1] (both running latest master):
- example of output in ubuntu-trusty job:
Although we can do something like [1], the effective role assignments
will be empty because [2]. Looks like this is not a bug after all :)
[1] http://paste.openstack.org/show/595788/
[2]
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L675-L691
** Changed in:
Public bug reported:
Since we can't assign a project a role from a different domain, it is
expected to not create implied roles from different domains as well. For
example:
* user1
* project1 - domainA
* role1 - domainA
* role2 - domainB
* create an assignment: user1/project1/role1
If we create
Public bug reported:
Currently, the docstring at [1] states the usage of the backend_sql.conf
file, which isn't used anymore in the tests of the module. Instead, the
tests are using oslo.db unit tests base [2]. This doesn't mean the
backend_sql.conf file isn't used anywhere else, but that it is
Public bug reported:
At keystone docs page [1], the OpenStack's Identity API link is pointing
to the specs docs [2], not the API.
[1] http://docs.openstack.org/developer/keystone/
[2] http://specs.openstack.org/openstack/keystone-specs/
** Affects: keystone
Importance: Undecided
: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1645391
Title:
mapped auth method
Public bug reported:
When authenticating a user via federation, a federated_user entry is
created in keystone's database, an example of such entry is below:
mysql> select * from federated_user;
Public bug reported:
Differently from the /v3/user/ route [1], the
/v3/user//password is not enforcing the password history [2].
At [3] we are able to change a password that breaks the password history
constraints
[1]
Public bug reported:
In the credentials API schema validation [1] is mandatory to include a
project when creating a credential of the "ec2" type, but we can create
a credential from a different type and update it to "ec2" without
providing a project [2].
[1]
Public bug reported:
Steps to reproduce
==
1 - Get a keystone v3 token using the ?nocatalog param. Example:
export TOKEN=`curl -i -k -v -H "Content-type: application/json" -d
'{"auth": {"identity": {"methods": ["password"], "password": {"user":
{"domain": {"name": "Default"},
Public bug reported:
Currently, it is possible to add a protocol to a identity provider [0]
using a nonexistent mapping id. We could add a mapping later using the
ID in the previous step, but several errors can occur in between this
steps.
We might want to enforce steps here:
1 - create idp
2 -
Public bug reported:
Remote IDs for identity providers can not be reused, so during the
creation of an identity provider, keystone returns a 409 Conflict when
we try to do so. However, the same problem occurs when updating an
identity provider and using a remote ID from another registered
This is not a valid situation anymore.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1425108
Title:
Public bug reported:
Currently, the K2K flow in the config file [1] isn't detailed enough, we
should provide at least the next step where we exchange a SAML assertion
for a unscoped token from the SP.
[1]
https://github.com/openstack/keystone/blob/master/doc/source/configure_federation.rst
Public bug reported:
In the session [1], SPs are still referenced as regions.
[1]
https://github.com/openstack/keystone/blob/master/doc/source/configure_federation.rst
#testing-it-all-out
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa
Public bug reported:
Currently we have a documentation to enable the Federation extension
[1]. Although there is some steps that are no longer needed, some of
them need to be executed in order to the functionality properly work:
add the saml2 auth method, install xmlsec1 and pysaml2. These steps
-api-v3-os-federation-ext.rst#generating-assertions
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
** Tags: documentation
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which
This should be targeted to python-keystoneclient
** Project changed: keystone = python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1457279
Title:
keystoneclient
Public bug reported:
We can have two users with the same username in different domains. So if
we have a User A in Domain X and a User A in Domain Y, there is
no way to differ what User A is being used in a SAML assertion
generated by this IdP (we have only the openstack_user attribute in the
SAML
Public bug reported:
This bug was first discussed in the Recursive Deletion spec:
https://review.openstack.org/#/c/148730/
Currently, when deleting a domain, all projects inside that domain are
also deleted. When we have a hierarchy of projects this may cause
inconsistencies since the operations
/openstack/keystone/blob/master/keystone/contrib/federation/backends/sql.py#L97-L98
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team
Public bug reported:
Filter by the parent_id is already supported in the code [1], this
should be documented in the API spec.
[1]
https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L210
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte
Public bug reported:
the auth_url and sp_url fields are mandatory in order to provide
federated authentication in keystone-to-keystone [1], both fields can be
nullable in the service provider database [2].
it is also needed to add this validation in the json schema.
[1]
Public bug reported:
Although it is possible to perform GET /projects?parent_id=project_id
[1], it is not tested.
[1]
https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L167
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426496
Title:
Create project with invalid domain_id
Status
Public bug reported:
The _get_children() method [1] uses the in_ clause, which doesn't
support passing None as part of the list (it is not considered). Passing
None is a valid situation if we want to query for all root projects in
the hierarchy.
[1]
Public bug reported:
The list_projects_in_subtree() and list_project_parents() method accepts
invalid values of project_id (such as None and non-existent
project_ids).
** Affects: keystone
Importance: Undecided
Status: New
** Summary changed:
- list_projects_in_subtree() accepts
Redirecting to python-keystoneclient.
** Project changed: keystone = python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1420791
Title:
python keystoneclient
** Project changed: keystone = python-keystoneclient
** Description changed:
When we miss any of the environment variable, Keystone commands do not
throw any error, it just simply output nothing. But when when we run
- nova command it outputs proper error message. So similarly even keystone
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
Content-Length: 334
Content-Type: application/json
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
** Tags: documentation
Public bug reported:
When using a domain scoped token to request a SAML assertion, Keystone
responds with a Internal Server Error. Here is where this condition is
handled:
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L279
** Affects: keystone
:SingleSignOnService
Binding=urn:oasis:names:tc:SAML:2.0:bindings:URI
Location=http://localhost:5000/v3/OS-FEDERATION/saml2/sso;
//ns0:IDPSSODescriptor/ns0:EntityDescriptor
** Affects: keystone
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: New
** Changed in: keystone
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1382906
Title:
pipe not closed with use of popen
Status in OpenStack Identity
a
single API call: GET
v3/role_assignments?group.id=group_idscope.project.id=project_id
This issue is similar to bug #1278920.
** Affects: horizon
Importance: Undecided
Assignee: Rodrigo Duarte (rodrigodsousa)
Status: In Progress
** Changed in: horizon
Assignee
37 matches
Mail list logo
