Reviewed: https://review.openstack.org/265002 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c75f39f3d6e4a2caa37322adcf2e296ec7c573c8 Submitter: Jenkins Branch: master
commit c75f39f3d6e4a2caa37322adcf2e296ec7c573c8 Author: Morgan Fainberg <morgan.fainb...@gmail.com> Date: Thu Jan 7 15:18:03 2016 -0800 Revert "Validate domain ownership for v2 tokens" This reverts commit c4723550aa95be403ff591dd132c9024549eff10. This revert is being proposed as it breaks behavior that real-world deployments rely on. The deployments requested the V2 token with user_id and tenantId and then used the V2 token for the non-default-domain user to access swift. While the deployment is being encouraged to fix their code to use V3, this is behavior that was supported and used. This revert was done by hand due to the volume of change that has occured to the tests since the original patch landed. Conflicts (a lot of test refactoring): keystone/tests/unit/test_v3_assignment.py keystone/tests/unit/test_v3_auth.py keystone/tests/unit/test_v3_identity.py Change-Id: I4a303a5fcc8c2dacef5960e9e26ad9402f34a790 Closes-Bug: 1527759 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1527759 Title: Default domain no longer lets keystone tenant-list work Status in OpenStack Identity (keystone): Fix Released Bug description: We recently upgraded from kilo.0 to kilo.2 in our dev environment and noticed that keystone tenant-list is always failing for the admin user. Our config is as follows default domain is tied to read-only ldap (AD), a heat domain is created to use for trusts to handle the created heatstack users/passwords. Under kilo.0 everything was happy. Under kilo0.2 we get the following error: keystone tenant-list The request you have made requires authentication. (HTTP 401) (Request-ID: req-d30289f0-778d-4577-8150-7ddd5438ad9c) The main error message is: 2015-12-16 17:07:36.493 20386 WARNING keystone.common.wsgi [-] Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 10.224.48.132 Looking at the differences between kilo.0 and kilo.2 it seems like: https://github.com/openstack/keystone/commit/9dfad21201251364c6d205e8e79813bfe78e6107 is the most likely culprit for this regression. However, I have not yet been able to test if reverting that change fixes the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1527759/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp