Reviewed: https://review.openstack.org/331567 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7df92f7b624500e24b71c4b2d516604e0edb52f2 Submitter: Jenkins Branch: master
commit 7df92f7b624500e24b71c4b2d516604e0edb52f2 Author: Martin Schuppert <[email protected]> Date: Mon Jun 20 11:04:19 2016 +0200 Verify domain_id when get_domain is being called When create user using API it is possible to use a domain_id which does match the created domain_id since mysql per default is not case sensitive and returns the domain_id to be valid. In e.g. liberty this breaks cli keystone v2 user list actions when a user with a DEFaULt domain has been created. With this change the domain_id is being validated with what provided with the API call in get_domain. Change-Id: I028b2add3067e6fb9aa3f33eb8fe10d8ebace006 Closes-Bug: #1594284 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1594284 Title: create user through API does not validate domain_id is properly written Status in OpenStack Identity (keystone): Fix Released Bug description: When create a new user using the API (not cli client or horizon) it is possible to pass an domain id which does not match the writing of the domain id created. e.f. default -> Default or DEfauLT In e.g. liberty using keystone v2, this result in keystone user list actions to fail. Reproduce with: 1) get token $ export OS_TOKEN=`curl -si -H "Content-Type: application/json" -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "6e37dc4d28444c3a" }}}, "scope": { "project": { "name": "admin", "domain": { "id": "default" }}}}}' http://localhost:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'` 2) create user $ curl -s -H "X-Auth-Token: $OS_TOKEN" -H "Content-Type: application/json" -d '{"user": {"name": "newuser", "password": "changeme", "domain_id": "DEfauLT"}}' http://localhost:5000/v3/users | python -mjson.tool { "user": { "domain_id": "DEfauLT", "enabled": true, "id": "6553a3cd71794157bef20bc82c98e2b8", "links": { "self": "http://localhost:5000/v3/users/6553a3cd71794157bef20bc82c98e2b8"; }, "name": "newuser" } } 3) use keystone v2 and query users # openstack user list The request you have made requires authentication. (HTTP 401) (Request-ID: req-306fa0f5-6337-4206-ae91-27f382ca7166) But getting token works as expected # openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2016-06-20T09:20:05Z | | id | 4dd0f55bc2424c31a9c15d185c403dd5 | | project_id | 211a8c1d7eaa4918a2bd5f2b6d7199ac | | user_id | 6553a3cd71794157bef20bc82c98e2b8 | +------------+----------------------------------+ On liberty: MariaDB [keystone]> select * from user where name='newuser2'\G; *************************** 1. row *************************** id: 448f9bfc33dc443e9ec2d18cd16af9f7 name: newuser2 extra: {} password: $6$rounds=10000$HNeascl/YNVeJbGU$R4TnvjIbBPKs0YaVyeT6GCyHDz7Y.UFW141xF6f0YyZVXFKjgrA3EryqXoj6PdeNUku0v0Y85K.4FrSKYnmmo0 enabled: 1 --> domain_id: DEfauLT default_project_id: NULL 1 row in set (0.00 sec) Manual change of the domain_id in the DB is needed. Remarks: - create user using cli client verifies domain exists - with Mitaka it is still possible to create user with mismatching domain_id, but so far no issues identified (little testing) [root@rdo-mitaka ~(keystone_admin_v3)]# openstack user show 6553a3cd71794157bef20bc82c98e2b8 +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | DEfauLT | | enabled | True | | id | 6553a3cd71794157bef20bc82c98e2b8 | | name | newuser | +-----------+----------------------------------+ MariaDB [keystone]> select * from local_user where name='newuser'\G; *************************** 1. row *************************** id: 11 user_id: 6553a3cd71794157bef20bc82c98e2b8 domain_id: DEfauLT name: newuser To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1594284/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
