[Yahoo-eng-team] [Bug 1259646] [NEW] Clean up ML2 Manager

2013-12-10 Thread Lance Bragstad
Public bug reported: Some things need cleanup in the ML2Manager. 1.) In the current ML2 Manager, we are using sys.exit(1) if the network_type isn't found in self.drivers: https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/managers.py#L70 Here we should probably throw an

[Yahoo-eng-team] [Bug 1269157] [NEW] Notifications wrapper doesn't work with Trusts Keystone resource

2014-01-14 Thread Lance Bragstad
Public bug reported: When implementing Keystone notifications for Trusts, an IndexError is returned saying 'tuple index out of range'. http://paste.openstack.org/show/61217/ This causes notification to fail when creating trusts in Keystone. I believe the reason why args isn't indexible is

[Yahoo-eng-team] [Bug 1274367] [NEW] Nova boot on PowerKVM fails when video type is set to 'cirrus'

2014-01-29 Thread Lance Bragstad
Public bug reported: When deploying to a compute node hosted on a PowerKVM system, nova boots fail to spawn when video type is set to 'cirrus' in the XML definition. This is the default value set and was a part of this blueprint: https://blueprints.launchpad.net/nova/+spec/libvirt-video-driver-

[Yahoo-eng-team] [Bug 1276930] [NEW] assertGreater fails python 2.6 tests

2014-02-05 Thread Lance Bragstad
Public bug reported: According to the logs on this patch https://review.openstack.org/#/c/69084/7/keystone/tests/test_notifications.py http://logs.openstack.org/84/69084/7/check/gate-keystone- python26/19095a9/console.html assertGreater will not pass on python 2.6. Looks like it was new in

[Yahoo-eng-team] [Bug 1277583] [NEW] python-sqlalchemy version inconsistent between projects

2014-02-07 Thread Lance Bragstad
Public bug reported: When installing OpenStack on Fedora 19 or later, installation can fail due to different capped versions of python-sqlalchemy. Keystone and Neutron both require versions under 8: https://github.com/openstack/keystone/blob/master/requirements.txt#L12 (being addressed by

[Yahoo-eng-team] [Bug 1278738] [NEW] trusts in keystone fail in driver when impersonation is not provided

2014-02-11 Thread Lance Bragstad
Public bug reported: When creating trusts in Keystone, if 'impersonation' is not provided Keystone fails out in the backend code. This should probably be handed at the controller level to be consistent across all backends. lbragstad@precise64:~/curl-examples$ cat create_trust.json { trust: {

[Yahoo-eng-team] [Bug 1278739] [NEW] trusts in keystone fail in backend when impersonation is not provided

2014-02-11 Thread Lance Bragstad
Assignee: Lance Bragstad (ldbragst) Status: In Progress ** Tags: trusts v3 ** Summary changed: - trusts in keystone fail in driver when impersonation is not provided + trusts in keystone fail in backend when impersonation is not provided ** Description changed: When creating trusts

[Yahoo-eng-team] [Bug 1362291] [NEW] Project creation attributes in Identity API are inconsistent with implementation

2014-08-27 Thread Lance Bragstad
Public bug reported: The Identity API lists `domain_id` as an optional attribute when creating a project. If a `domain_id` is optional, it can be supplied in the request as a valid id string, supplied in the request with value None, or not supplied in the request at all. Currently, the Keystone

[Yahoo-eng-team] [Bug 1362291] Re: Project creation attributes in Identity API are inconsistent with implementation

2014-08-27 Thread Lance Bragstad
The implementation does make sure a `domain_id` is supplied in the project reference: https://github.com/openstack/keystone/blob/f4f0bdf092edf7ba6e74019f5524629fd2ad85ce/keystone/assignment/controllers.py#L399 This invalids this bug since the user doesn't *have* to specific a `domain_id` in the

[Yahoo-eng-team] [Bug 1362344] [NEW] Tests for Trusts don't actually test the roles provided in the trust reference

2014-08-27 Thread Lance Bragstad
Public bug reported: The tests for Trusts leverage the test_v3.py module and are housed in test_v3_auth.py. These tests use the new_trust_ref() provided in test_v3.py to build new trust references [1]. The new_trust_ref method is suppose to go through and build a list of role ids that can be used

[Yahoo-eng-team] [Bug 1358243] Re: LDAP Critical extension is unavailable 500 error

2014-09-04 Thread Lance Bragstad
** Also affects: keystone/icehouse Importance: Undecided Status: New ** Tags added: icehouse-backport-potential -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1358243 Title:

[Yahoo-eng-team] [Bug 1308252] Re: No way to get extensions using V3 API

2014-09-04 Thread Lance Bragstad
being superseded by json-home: https://github.com/openstack/keystone-specs/blob/master/specs/juno/json- home.rst ** Changed in: keystone Status: In Progress = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

[Yahoo-eng-team] [Bug 1329891] Re: Keystone Not Able to Add Users to AD/Ldap and OpenLdap due to BAD_ATT_SYNTAX (Invalid DN syntax)

2014-09-15 Thread Lance Bragstad
From bug 1340041 there has been a fix merged to handle the attribute mapping [1]. Sam, I'd suggest recreating with that patch to see if that part of your issue is resolved. As for the write access to AD, I think Nathan's comment above helps clarify that situation/use case. [1]

[Yahoo-eng-team] [Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list

2014-09-16 Thread Lance Bragstad
Andrey, you'll need to set 'https' in your keystone configuration in order to use SSL with Keystone. Maybe we can look for an opportunity to improve the documentation. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1348820] [NEW] Token issued_at time changes on /v3/auth/token GET requests

2014-07-25 Thread Lance Bragstad
Public bug reported: Steps to recreate 1.) Generate a v2.0 token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf 2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4 Notice that the

[Yahoo-eng-team] [Bug 1328501] Re: start of keystone not possible when use_syslog=True but syslog is not accessible/running

2014-07-30 Thread Lance Bragstad
Steps to reproduce 1.) set use_syslog=true in keystone.conf 2.) make sure rsyslog(syslog) process is not running 3.) restart Keystone http://paste.openstack.org/show/89191/ ** Also affects: oslo Importance: Undecided Status: New -- You received this bug notification because you are

[Yahoo-eng-team] [Bug 1355125] Re: keystonemiddleware appears not to hash PKIZ tokens

2014-08-11 Thread Lance Bragstad
** Description changed: - It looks like Keystone hashes only PKI tokens - https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L1399 - and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token in

[Yahoo-eng-team] [Bug 1284972] [NEW] Creating a region using V3 api fails in backend code when missing description

2014-02-25 Thread Lance Bragstad
Public bug reported: When creating a region using the V3 API, the request fails out in the backend code. This check should be handled in the controller/manager like it does for other resources (federation does this -

[Yahoo-eng-team] [Bug 1273988] Re: keystoneclient requires --pass to create user while keystone doesn't

2014-05-19 Thread Lance Bragstad
I don't think this is necessarily a Keystone bug since it is following the Identity API spec, which defines 'password' as an optional parameter when creating a user. python-keystoneclient V3 also follows the Identity API V3 spec according to this code: https://github.com/openstack/python-

[Yahoo-eng-team] [Bug 1321298] [NEW] Periodic task cause errors in _finish_resize

2014-05-20 Thread Lance Bragstad
Public bug reported: In the event that an end user sets resize_confirm_window to something small (say 1 in this example) there is a possibility that the periodic task can run in nova/compute/manager.py:ComputeManager._finish_resize() after the migration has been updated but before the instances

[Yahoo-eng-team] [Bug 1384409] Re: UnicodeDecodeError when trying to create a user with DEBUG logging turned on

2014-10-23 Thread Lance Bragstad
I can reproduce, but I think this will have to go into o-i before we can sync the fix to Keystone. ** Changed in: keystone Status: New = Confirmed ** Changed in: keystone Importance: Undecided = Low ** Changed in: keystone Status: Confirmed = Triaged ** Also affects:

[Yahoo-eng-team] [Bug 1386562] Re: keystone did not start (ImportError: Class TemplatedCatalog cannot be found)

2014-10-28 Thread Lance Bragstad
This fix should pertain to Devstack only as it is a way to deploy Keystone. The change to Devstack looks good and marking as invalid for Keystone. ** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team,

[Yahoo-eng-team] [Bug 1398165] [NEW] Unable to update a region description to None

2014-12-01 Thread Lance Bragstad
Public bug reported: The region table doesn't allow for nullable descriptions [1] . The catalog Manager checks if region['description'] is set in the request and if the user hasn't provided a description for the region, the Manager will set it to an empty string [2]. If the user creates a region

[Yahoo-eng-team] [Bug 1400565] [NEW] ValueError when running Keystone tests

2014-12-08 Thread Lance Bragstad
Public bug reported: When running the Keystone tests against the latest master branch I get the following error: ${PYTHON:-python} -m subunit.run discover -t ./ ./keystone/tests --load-list /tmp/user/1000/tmpAaHUxr No handlers could be found for logger keystone.catalog.core Traceback (most

[Yahoo-eng-team] [Bug 1403509] [NEW] Test cases in test_content_types.py assert 200 on POST operations

2014-12-17 Thread Lance Bragstad
Public bug reported: When adding a positive test case to keystone/tests/test_content_types.py it was discovered that several test cases in that module assert 200 OK response codes for POST operations [1]. According to the v2.0 API documentation, POST operations should result in a 201 Created

[Yahoo-eng-team] [Bug 1405041] Re: test report a bug

2014-12-23 Thread Lance Bragstad
** Changed in: keystone Status: New = Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1405041 Title: test report a bug Status in OpenStack Identity (Keystone): Invalid

[Yahoo-eng-team] [Bug 933565] Re: GET /users/{user_id}/roles not implemented

2015-02-09 Thread Lance Bragstad
** Changed in: keystone Status: In Progress = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/933565 Title: GET /users/{user_id}/roles not implemented Status in

[Yahoo-eng-team] [Bug 1421300] Re: Keystone CRITICAL : Empty Module Name (driver)

2015-02-12 Thread Lance Bragstad
This looks like a keystone bug versus a python-keystoneclient bug. ** Also affects: keystone Importance: Undecided Status: New ** No longer affects: python-keystoneclient -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

[Yahoo-eng-team] [Bug 1433311] [NEW] Fernet tokens current don't support token bind

2015-03-17 Thread Lance Bragstad
Public bug reported: If you run test_v3_auth.py:TestAuth test cases against a Fernet token setup, the following tests will fail: keystone.tests.unit.test_v3_auth.TestFernetTokenProviderStuff.test_v2_v3_bind_token_intermix

[Yahoo-eng-team] [Bug 1433331] [NEW] Collapse Fernet specific tests into test_v3_auth.py TestAuth

2015-03-17 Thread Lance Bragstad
Public bug reported: When the Fernet token implementation landed, it was introduced with it's own testing layer [1]. These tests were designed to model the behavior specific to Fernet tokens. Fernet tokens should have the same V3 behavior as the rest of the token providers available in Keystone,

[Yahoo-eng-team] [Bug 1428829] [NEW] Fernet tokens don't return audit_ids

2015-03-05 Thread Lance Bragstad
Public bug reported: The Fernet token formatters accidentally pop the audit_ids from the token_data [1]. The audit_ids shouldn't be removed from the token_data because we need them in the response. [1]

[Yahoo-eng-team] [Bug 1423973] [NEW] Use choices from oslo_config

2015-02-20 Thread Lance Bragstad
Public bug reported: Support went into oslo_config recently that will allow us to use the choices keyword argument from argparse [1]. We should look at leveraging this in Keystone. [1]

[Yahoo-eng-team] [Bug 1402628] Re: Keystone does a select * from assignment table even if a filter is provided in the URL.

2015-03-18 Thread Lance Bragstad
*** This bug is a duplicate of bug 1359231 *** https://bugs.launchpad.net/bugs/1359231 ** This bug has been marked a duplicate of bug 1359231 List role assignments filters performance -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1461183] [NEW] keystone/tests/unit/test_v3.py:RestfulTestCase.load_sample_data still uses the assignment_api

2015-06-02 Thread Lance Bragstad
Public bug reported: All test classes that inherit keystone/tests/unit/test_v3.py:RestfulTestCase run a load_sample_data method [0]. This method creates some sample data to test with and it still uses the assignment API, which has been deprecated. This method should be refactored to use the

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

2015-06-17 Thread Lance Bragstad
I believe the same it true in Keystone based on what Jeremy has linked above. ** Changed in: keystone Status: New = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1459382] [NEW] Fernet tokens can fail with LDAP identity backends

2015-05-27 Thread Lance Bragstad
/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509 [2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html ** Affects: keystone Importance: High Assignee: Lance Bragstad (lbragstad) Status: In Progress ** Tags: fernet

[Yahoo-eng-team] [Bug 1471967] [NEW] Fernet unit tests do not test persistence logic

2015-07-06 Thread Lance Bragstad
Importance: Undecided Assignee: Lance Bragstad (lbragstad) Status: In Progress ** Tags: fernet test-improvement -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1471967

[Yahoo-eng-team] [Bug 1482773] Re: H405 violations: multi line docstring summary not separated with an empty line

2015-10-21 Thread Lance Bragstad
** Also affects: keystonemiddleware Importance: Undecided Status: New ** Changed in: keystonemiddleware Importance: Undecided => Low -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1513538] [NEW] Remove SQL's datetime format inplace of integer timestamps

2015-11-05 Thread Lance Bragstad
Public bug reported: Keystone's current schema uses SQL's DATETIME format. Depending on the version of SQL, it may or may not support sub-second accuracy/precision. We should replace keystone's use of DATETIME with an integer timestamp. With integer timestamps we can support sub-second accuracy

[Yahoo-eng-team] [Bug 1513541] [NEW] Support sub-second accuracy in Fernet's creation timestamp

2015-11-05 Thread Lance Bragstad
Public bug reported: The fernet token provider has sub-second format, but it is currently truncated to .00Z. This is because the library (pyca/cryptography [0]) that keystone relies on for generating fernet tokens uses integer timestamps instead of floats, which loses sub-second accuracy. We

[Yahoo-eng-team] [Bug 1512305] Re: keystone api-site is out of date

2015-11-05 Thread Lance Bragstad
Marking this as invalid based on Steve's comment. If there are things that need to be addressed in http://specs.openstack.org/openstack /keystone-specs/api/v3/identity-api-v3.html we can either reopen this bug, or better yet, open a separate bug that is specific to the issue. ** Changed in:

[Yahoo-eng-team] [Bug 1473567] Re: Fernet tokens fail tempest runs

2015-10-05 Thread Lance Bragstad
** Also affects: tempest Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1473567 Title: Fernet tokens fail tempest runs Status in Keystone:

[Yahoo-eng-team] [Bug 1278739] Re: trusts in keystone fail in backend when impersonation is not provided

2015-08-26 Thread Lance Bragstad
fixed by - https://review.openstack.org/#/c/104066/ ** Changed in: keystone Milestone: None = 2015.1.0 ** Changed in: keystone Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

[Yahoo-eng-team] [Bug 1491926] [NEW] Remove padding from Fernet tokens

2015-09-03 Thread Lance Bragstad
Public bug reported: In bug 1433372, we determined that we should percent encode Fernet tokens, because the padding characters (=) aren't considered URL safe by some RFCs. We also fail some tempest tests because clients sometimes decode or encode responses [0]. We should just remove the padding,

[Yahoo-eng-team] [Bug 1433372] Re: Fernet tokens with base64 padding are not URL-safe

2015-09-03 Thread Lance Bragstad
Closing in favor of a keystone fix - https://bugs.launchpad.net/keystone/+bug/1491926 ** Changed in: keystonemiddleware Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.

[Yahoo-eng-team] [Bug 1491916] [NEW] Improve IdP Specific WebSSO docs

2015-09-03 Thread Lance Bragstad
Public bug reported: With the liberty-3 deadline fast approaching, the following documentation patch was merged with some outstanding comments. https://review.openstack.org/#/c/218353/ The WebSSO docs should be overhauled to provide a better user experience. ** Affects: keystone

[Yahoo-eng-team] [Bug 1501032] [NEW] incorrect method list is returned when scoping tokens with federation

2015-09-29 Thread Lance Bragstad
Public bug reported: In keystone, when a user gets an unscoped token using a password and their username, the unscoped token response contains a method list. This method list will consist of ['password'], since it was the method used to obtain the token. When the user goes to scope their unscoped

[Yahoo-eng-team] [Bug 1521805] Re: Exceeding max password length of 4096 doesn't prompt error

2015-12-02 Thread Lance Bragstad
Hi Karan, You should be able to enforce strict password checking in keystone [0]. The strict_password_check should pull in the max_password_length value in it's check [1]. Strict password checking isn't enabled by default. Try enabling that in your test and see if that helps. I was able to create

[Yahoo-eng-team] [Bug 1521772] Re: List users in a group by name throws HTTP 500 error

2015-12-03 Thread Lance Bragstad
** Also affects: keystone/liberty Importance: Undecided Status: New ** Tags added: liberty-backport-potential -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

[Yahoo-eng-team] [Bug 1521809] Re: No checkpoint if email address entered for user is in email format or not

2015-12-03 Thread Lance Bragstad
Karan, Valid point, when we first implemented the jsonschema validation layer on keystone, we attempted to validate email addresses on user create/update requests. The functionality for doing this already exists in jsonschema. The reason we didn't was because the default keystone identity backend

[Yahoo-eng-team] [Bug 1520735] Re: Password should be mandatory else user can't execute any command

2015-12-03 Thread Lance Bragstad
Hi Karan, Keystone doesn't require passwords on user creation because the authentication methods used by keystone are configurable [0]. It is possible for a keystone deployment to use another authentication method in-place of traditional password authentication. Because we can't guarantee the way

[Yahoo-eng-team] [Bug 1522616] [NEW] It's possible to disable the default domain through domain update API

2015-12-03 Thread Lance Bragstad
Public bug reported: We currently forbid the ability of deleting the default domain [0] (or at least make it really hard to do so). There is nothing in the update domain flow that protects against disabling the default domain. We should add the same check to prevent someone from accidentally

[Yahoo-eng-team] [Bug 1523664] [NEW] Token operations fail when fernet key repository isn't writeable

2015-12-07 Thread Lance Bragstad
Public bug reported: When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.

[Yahoo-eng-team] [Bug 1532280] [NEW] Fernet trust token is still valid when user's domain is disabled.

2016-01-08 Thread Lance Bragstad
Public bug reported: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider. Part of the fix has already been incorporated into a patch up for review [0], it was discovered by

[Yahoo-eng-team] [Bug 1533330] [NEW] Some protection test cases have incorrect domain id setup

2016-01-12 Thread Lance Bragstad
Public bug reported: The IdentityTestv3CloudPolicySample test classes has it's own setup method, similar to other test classes. The setup method for IdentityTestv3CloudPolicySample loads in sample data that can be used throughout the tests in the module. However, the

[Yahoo-eng-team] [Bug 1533794] [NEW] Fernet v2 token response doesn't match v2 uuid token responses

2016-01-13 Thread Lance Bragstad
Public bug reported: There are several tests in keystone/tests/unit/test_auth.py that fail when Fernet is the default token provider [0]. The following is a scoped token with UUID as the token provider: http://cdn.pasteraw.com/risvg2ggcueuaobl7echlefanezuto0 The following is a scoped token

[Yahoo-eng-team] [Bug 1534252] [NEW] fernet tokens don't support oauth1 authentication

2016-01-14 Thread Lance Bragstad
Public bug reported: The fernet token provider doesn't issue or validate oauth1 token types. ** Affects: keystone Importance: Undecided Status: New ** Tags: fernet ** Tags added: fernet -- You received this bug notification because you are a member of Yahoo! Engineering Team,

[Yahoo-eng-team] [Bug 1543321] [NEW] Trusts on v2.0 are undocumented

2016-02-08 Thread Lance Bragstad
Public bug reported: The trust extension, at the time targeted version 3. It was never implemented to *not* work against v2.0. We don't document this anywhere and we support it. We should either officially support it or remove support for trust authentication in v2.0. ** Affects: keystone

[Yahoo-eng-team] [Bug 1555187] Re: keystone fails to start in kilo due to pysaml2 4.0.4 release

2016-03-09 Thread Lance Bragstad
** Also affects: keystone/kilo Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1555187 Title: keystone fails to start in

[Yahoo-eng-team] [Bug 1561054] [NEW] Make Fernet the default token provider

2016-03-23 Thread Lance Bragstad
Public bug reported: The fernet token provider should be the default token provider in Keystone. This will allow the keystone development team to deprecate all other token providers in keystone and massively simplify the token provider API. ** Affects: keystone Importance: Wishlist

[Yahoo-eng-team] [Bug 1577558] [NEW] v2.0 fernet tokens audit ids are inconsistent

2016-05-02 Thread Lance Bragstad
Public bug reported: If you set the token provider to token.provider = fernet, get an unscoped token from v2.0, then rescope that token to a project, you'll notice the audit ids don't match. I've recreated this issue in a test [0]. What should happen is that the unscoped token response will have

[Yahoo-eng-team] [Bug 1523664] Re: Token operations fail when fernet key repository isn't writeable

2016-05-10 Thread Lance Bragstad
** Also affects: keystone/liberty Importance: Undecided Status: New ** Changed in: keystone/liberty Status: New => In Progress ** Changed in: keystone/liberty Assignee: (unassigned) => Lance Bragstad (lbragstad) -- You received this bug notification becau

[Yahoo-eng-team] [Bug 1570158] Re: memcache pool reap issue (stable/liberty)

2016-04-14 Thread Lance Bragstad
Matt, are you able to recreate this with master or mitaka? ** Also affects: keystone/liberty Importance: Undecided Status: New ** Summary changed: - memcache pool reap issue (stable/liberty) + memcache pool reap issue -- You received this bug notification because you are a member of

[Yahoo-eng-team] [Bug 1607553] [NEW] Revocation event caching is broken

2016-07-28 Thread Lance Bragstad
Public bug reported: It seems the caching of revocation events is broken. I have a devstack stood up with fernet tokens enabled. If I run tempest.api.identity.admin.v3.test_tokens.TokensV3TestJSON.test_tokens with revocation event caching and fernet enabled, the test fails consistently [0]. This

[Yahoo-eng-team] [Bug 1433331] Re: Collapse Fernet specific tests into test_v3_auth.py TestAuth

2016-08-01 Thread Lance Bragstad
I think this can be closed now since a bunch of fixes landed to make fernet the default [0]. The TestFernetTokenProvider class has been refactored in master and no longer exists. It has been replaced with Fernet test classes that inherit tests from general test classes. [0]

[Yahoo-eng-team] [Bug 1579604] Re: project delete returns 501 NotImplemented with templated catalog

2016-07-08 Thread Lance Bragstad
** Also affects: keystone/mitaka Importance: Undecided Status: New ** Changed in: keystone/mitaka Importance: Undecided => High ** Changed in: keystone/mitaka Status: New => Confirmed ** Changed in: keystone/mitaka Assignee: (unassigned) => Sam Morrison (sorrison) --

[Yahoo-eng-team] [Bug 1599546] [NEW] Make validation patterns configurable

2016-07-06 Thread Lance Bragstad
Public bug reported: Keystone now treats configuration like a module, making it easier to enforce import order without race conditions[0]. There are a few TODOs to make certain validation patterns configurable. With the way configuration was being handled before, we were unable to import values

[Yahoo-eng-team] [Bug 1614154] [NEW] Hints with values of None seem to be broken

2016-08-17 Thread Lance Bragstad
Public bug reported: The Hints object allows developers to construct filters to query the backend for specific entries. For example, I can ask the backend to give me a list of entities that match a specific criteria: hints = driver_hints.Hints() hints.add_filter('key_hash', primary_key_hash)

[Yahoo-eng-team] [Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check

2017-02-08 Thread Lance Bragstad
** Description changed: I have a openstack master with LDAP server configured (fernet token provider). With the new changes around MFA rules (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin- reqs), I see that the authentication (POST /token) call fails at -

[Yahoo-eng-team] [Bug 1291157] Re: idp deletion should trigger token revocation

2017-01-27 Thread Lance Bragstad
I'm not sure https://review.openstack.org/#/c/414720/29 complete fixes the issue. I don't think that patch (list federated attributes for users) adds a revocation event of any kind when an Identity Provider is deleted. There are a couple proposed solutions that have been abandon that we can pick

[Yahoo-eng-team] [Bug 1667879] Re: install Error

2017-03-01 Thread Lance Bragstad
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1667879 Title: install Error Status in OpenStack Identity

[Yahoo-eng-team] [Bug 1620722] [NEW] @property methods in Managers are cached

2016-09-06 Thread Lance Bragstad
Public bug reported: When working on the credential encryption spec, I found that one of the @property methods in the implementation was having it's value cached. Typical @property methods should be run every time they are called. This was not the case in the credential encryption implementation

[Yahoo-eng-team] [Bug 1622010] [NEW] MySQL rounds timestamps

2016-09-09 Thread Lance Bragstad
Public bug reported: It was known that MySQL would *truncate* datetimes before inserting them. In the process of debugging issues with making fernet the default, I found that MySQL will actually *round* in some cases. To create I did the following: 1.) Stand up a fresh devstack 2.) Switch `CONF

[Yahoo-eng-team] [Bug 1630259] Re: KeyError: 'is_domain' during mitaka -> newton rolling upgrade

2016-10-05 Thread Lance Bragstad
Actually - I accidentally opened this up for Newton. I just realized that we'll be rolling another RC. ** Also affects: keystone/newton Importance: Undecided Status: New ** Changed in: keystone/newton Status: New => Invalid -- You received this bug notification because you are

[Yahoo-eng-team] [Bug 1627085] [NEW] The belongsTo query parameters for v2.0 is broken

2016-09-23 Thread Lance Bragstad
Public bug reported: Apparently the v2.0 API has a query parameter that allows you to check if a token belongs to a tenant by passing the tenant name in the query parameter. Out tests ensure that the functionality is broken [0]. The assertion in the test assumes that you can pass the tenant name

[Yahoo-eng-team] [Bug 1625619] Re: It is possible to download key pair for other user at the same project

2016-10-03 Thread Lance Bragstad
Based on the comments above, specifically comment #10, I think we can mark this as Invalid from a keystone perspective. If future information proves otherwise - we can reopen. ** Changed in: keystone Status: New => Incomplete ** Changed in: keystone Status: Incomplete => Invalid

[Yahoo-eng-team] [Bug 1391504] Re: Sample policies for Openstack

2016-10-03 Thread Lance Bragstad
The various projects have touched on this at previous summits and one of the items to come out of those discussions was a cross-project spec [0]. A cross-project spec seems like a more appropriate way to track this amount of work across several projects. [0]

[Yahoo-eng-team] [Bug 1433311] Re: Fernet tokens don't support token bind

2016-11-15 Thread Lance Bragstad
We now have fernet as keystone's default token provider and no one has specifically requested support for bind. I think we're safe to move this to Won't Fix. ** Changed in: keystone Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Yahoo!

[Yahoo-eng-team] [Bug 1460492] Re: List credentials by type

2016-10-11 Thread Lance Bragstad
I think this could be marked as Fix Released for openstackclient. The implementation [0] landed several months ago but it was never tagged against this bug. [0] https://github.com/openstack/python-openstackclient/commit/15d3717e733aec9e8b6526a1abffd62f2da1e32b ** Changed in:

[Yahoo-eng-team] [Bug 1646563] Re: Allow user specify custom project ID on project create

2016-12-07 Thread Lance Bragstad
We spent a good portion of our last meeting discussing this issue as a group [0]. The outcome was that folks would try the implementation locally before we accept the API change. As a group, we wanted feedback on how it would work in a deployment. We should continue to use this as a forum for

[Yahoo-eng-team] [Bug 1647800] [NEW] keystone-manage bootstrap isn't completely idempotent

2016-12-06 Thread Lance Bragstad
Public bug reported: The keystone-manage bootstrap command was designed to be idempotent. Most everything in the bootstrap command is wrapped with a try/except to handle cases where specific entities already exist (i.e. there is already an admin project or an admin user from a previous bootstrap

[Yahoo-eng-team] [Bug 1655013] Re: double assignment of user to group does not give error

2017-01-11 Thread Lance Bragstad
Hi Martin, I agree that the feedback could be a bit better when a user is already a member of a specific group, but I'm not sure an error would be the best approach. Since we already return a 204 No Content response when a user is added to a group (or added when they are already a member). If we

[Yahoo-eng-team] [Bug 1656026] [NEW] Exception don't follow a punctuation convention

2017-01-12 Thread Lance Bragstad
Public bug reported: If you happen to take a look through keystone exception module [0]. You'll notice that some of the exceptions use proper punctuation, while other do not. David Stanek mentioned this in a review [1], and we thought it was appropriate to track it as a low-hanging-fruit bug. We

[Yahoo-eng-team] [Bug 1644862] Re: domain ldap tls_cacertfile "forgotten" in multidomain configuration

2016-11-29 Thread Lance Bragstad
Are you able to recreate this using Newton or master? ** Also affects: keystone/mitaka Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

[Yahoo-eng-team] [Bug 1654613] [NEW] OS-EP-FILTER documentation is incorrect

2017-01-06 Thread Lance Bragstad
Public bug reported: The examples in the OS-EP-FILTER documentation aren't exactly accurate [0]. The documentation could also benefit from some rewording and fresh examples. The following could be fixed: - filtering by `region` isn't allowed, we should tell people to use `region_id` - the

[Yahoo-eng-team] [Bug 1674415] Re: keystone exception messages are not translating when locale is passed

2017-03-27 Thread Lance Bragstad
** Also affects: keystone/ocata Importance: Undecided Status: New ** Changed in: keystone/ocata Status: New => In Progress ** Changed in: keystone/ocata Importance: Undecided => Medium ** Changed in: keystone/ocata Assignee: (unassigned) => prashkre (prashkre) -- You

[Yahoo-eng-team] [Bug 1681348] Re: keystone list project api returns empty if "?name=" is added as url parameter

2017-04-11 Thread Lance Bragstad
If you're looking for all projects a user has access to, we have a dedicated API for that per Kristi's comment: GET http://{keystone_url}/v3/auth/projects Feel free to re-open this if you believe this behavior is causing a bug of some sort. ** Changed in: keystone Status: New =>

[Yahoo-eng-team] [Bug 1675822] Re: Allow policy actions in code to be importable for RBAC testing

2017-04-04 Thread Lance Bragstad
** Changed in: keystone Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1675822 Title: Allow policy actions in code to

[Yahoo-eng-team] [Bug 1680289] Re: Keystone logs fernet token when token is invalid

2017-04-06 Thread Lance Bragstad
As far as I know, that specific case is only for tokens that are invalid and the cryptography library is unable to decrypt them (the cases where InvalidToken is raised from decrypt [0].) If a token is considered invalid from the cryptography library, it's actually not decipherable. Logging the

[Yahoo-eng-team] [Bug 1645910] Re: Trust creation for SSO users fails in assert_user_enabled

2017-03-07 Thread Lance Bragstad
With https://review.openstack.org/#/c/399684/ implemented, this should no longer be an issue. Federated users should resolve to a domain, and in the default case, the domain of the identity provider. This is the behavior as of the Ocata release. ** Changed in: keystone Status: In Progress

[Yahoo-eng-team] [Bug 1511775] Re: Revoking a role revokes the unscoped token for a user

2017-03-10 Thread Lance Bragstad
I've attempted to recreate this locally after we merged a fix [0] for a similar bug [1]. I was not able to recreate this with the latest code in master (eed29f236e251007093ae1fe29185eddbef8497d). I'm going to close this, but feel free to continue using this report for discussion as necessary.

[Yahoo-eng-team] [Bug 1671887] [NEW] Revocation API is used in places where where it doesn't need to be

2017-03-10 Thread Lance Bragstad
Public bug reported: Since keystone now validates UUID and Fernet tokens the same way - by rebuilding the token context at validation time, we no longer need to persist certain types of revocation events. For example, a revocation event is persisted when a role is deleted. This is no longer

[Yahoo-eng-team] [Bug 1670380] [NEW] GET /v3/auth/catalog/ docs are out of sync

2017-03-06 Thread Lance Bragstad
Public bug reported: The api-ref for GET /v3/auth/catalog/ says that a successful call returns a `204 No Content` [0]. Testing with the latest master we return `200 OK`. We should update the documentation to say we return `200 OK` instead of `204 No Content`. I think this was a bad copy/paste

[Yahoo-eng-team] [Bug 1670382] [NEW] [ldap]/group_members_are_ids isn't a whitelisted option

2017-03-06 Thread Lance Bragstad
Public bug reported: If you're using the domain config api via `keystone-manage domain_config_upload, it will fail because [ldap]/group_members_are_ids isn't in the whitelisted options [0]. There doesn't seem to be valid case to not have `CONF [ldap] group_members_are_ids` in the whitelist, as it

[Yahoo-eng-team] [Bug 1707246] [NEW] Configuration guide references configuration options for policy instead of sample policy file

2017-07-28 Thread Lance Bragstad
Public bug reported: The configuration guide document should contain all information for configuration options, as well as sample policy files. Keystone's configuration section uses the wrong directive, which results in the configuration options being rendered where the sample policy file should

[Yahoo-eng-team] [Bug 1704205] Re: GET /v3/role_assignments?effective_names API fails with unexpected 500 error

2017-08-02 Thread Lance Bragstad
** Also affects: keystone/ocata Importance: Undecided Status: New ** Changed in: keystone/ocata Status: New => In Progress ** Changed in: keystone/ocata Importance: Undecided => Low ** No longer affects: keystone/ocata -- You received this bug notification because you are

[Yahoo-eng-team] [Bug 1709801] Re: Domain scope auth fails when use endpoint filter

2017-08-10 Thread Lance Bragstad
The EndpointFilter catalog was removed in Pike [0] and the issue isn't reproducible in stable/ocata. [0] https://github.com/openstack/keystone/commit/d35f36916e109f0d2557bb778424e7aee3bc6b31 ** Also affects: keystone/newton Importance: Undecided Status: New ** Also affects:

[Yahoo-eng-team] [Bug 1511775] Re: Revoking a role revokes the unscoped token for a user

2017-08-09 Thread Lance Bragstad
** Changed in: keystone Status: In Progress => Invalid ** Changed in: keystone Assignee: Lance Bragstad (lbragstad) => (unassigned) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

[Yahoo-eng-team] [Bug 1643301] Re: bootstrapping keystone failed when LDAP backend is in use

2017-08-11 Thread Lance Bragstad
This was discussed with Colleen and Kristi in IRC [0]. The following was proposed - write a patch so that devstack always configures sql as the identity backend - when ldap is set as KEYSTONE_IDENTITY_BACKEND, ensure it's done in a domain-specific way - write a patch so keystone fails

[Yahoo-eng-team] [Bug 1687593] Re: Create OAUTH request token gives 401 error when request url is admin endpoint

2017-07-13 Thread Lance Bragstad
newton Importance: Undecided => High ** Changed in: keystone/ocata Importance: Undecided => High ** Changed in: keystone Importance: Undecided => Medium ** Changed in: keystone/newton Assignee: (unassigned) => Lance Bragstad (lbragstad) ** Changed in: keystone/ocata Ass

  1   2   3   >