Reviewed: https://review.opendev.org/c/openstack/keystone/+/951392 Committed: https://opendev.org/openstack/keystone/commit/2323c474f857b64b5e6159dab03e64580817c65c Submitter: "Zuul (22348)" Branch: master
commit 2323c474f857b64b5e6159dab03e64580817c65c Author: Artem Goncharov <[email protected]> Date: Fri May 30 12:47:29 2025 +0200 Fix getting token from application credentials token When user tries to get token from token that was initially issued using application credentials it is necessary to restore the initial application credential is to enforce it's scope, roles and access rules. Closes-bug: #2111836 Change-Id: Ie94f7e18106b50087284bd8c81b50aa50ab104cb Signed-off-by: Artem Goncharov <[email protected]> ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2111836 Title: Creating a token using an application credential results in a HTTP 500 when attempting to use said token Status in OpenStack Identity (keystone): Fix Released Bug description: Sample devstack reproducer: ``` export OS_CLOUD=devstack-admin openstack server list # works openstack application credential create foo # use the returned id and secret fields to create a new cloud entry export OS_CLOUD=devstack-admin-appcred openstack server list # works openstack token issue -f value -c id # use the returned id field to create a new cloud entry export OS_CLOUD=devstack-admin-token openstack server list # error! ``` Samples `clouds.yaml` after the above steps: ``` clouds: devstack-admin: auth: auth_url: http://10.0.110.96/identity password: password project_domain_id: default project_name: admin user_domain_id: default username: admin region_name: RegionOne devstack-admin-appcred: auth: auth_url: http://10.0.110.96/identity application_credential_id: af1d2e8c0838425f8459bb07ba3371a7 application_credential_secret: G9ATNVJsZW63kX34tHddudA13c0N77ktP5OSrPe-n-BEeHuF7AqQeXu6bSIaK593dC72bzQYjzG7M-ypNseZYA auth_type: v3applicationcredential region_name: RegionOne devstack-admin-token: auth: auth_url: http://10.0.110.96/identity token: gAAAAABoNejg1AvoyDKLwM6--SR4X8zEx2U_Q5w89QiOV45FiVGV3Hhf9Y4TDJoNYjiMmSOCUrFTKyHIY0hiNyyiSVXNer0nMa_ivlOpR6n2Rag7vZDdCLUjfri5fOmlGd3G0kOSic5qBf3ubhZPF2IDLQ65D4RbCzQS7yGmlrJBOEcpcLwyYhJTx_y74WO9N93duPAhGthZ auth_type: v3token region_name: RegionOne ``` The traceback: ``` CRITICAL keystone [None req-cdc8e19b-cb35-4b8b-8aea-4c34409871ed admin admin] Unhandled error: KeyError: 'application_credential' ERROR keystone Traceback (most recent call last): ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1536, in __call__ ERROR keystone return self.wsgi_app(environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/werkzeug/middleware/proxy_fix.py", line 183, in __call__ ERROR keystone return self.app(environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__ ERROR keystone resp = self.call_func(req, *args, **kw) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func ERROR keystone return self.func(req, *args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/base.py", line 124, in __call__ ERROR keystone response = req.get_response(self.application) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send ERROR keystone status, headers, app_iter = self.call_application( ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application ERROR keystone app_iter = application(self.environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 143, in __call__ ERROR keystone return resp(environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__ ERROR keystone resp = self.call_func(req, *args, **kw) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func ERROR keystone return self.func(req, *args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/base.py", line 124, in __call__ ERROR keystone response = req.get_response(self.application) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send ERROR keystone status, headers, app_iter = self.call_application( ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application ERROR keystone app_iter = application(self.environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__ ERROR keystone resp = self.call_func(req, *args, **kw) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func ERROR keystone return self.func(req, *args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/osprofiler/web.py", line 111, in __call__ ERROR keystone return request.get_response(self.application) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send ERROR keystone status, headers, app_iter = self.call_application( ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application ERROR keystone app_iter = application(self.environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func ERROR keystone return self.func(req, *args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/oslo_middleware/request_id.py", line 58, in __call__ ERROR keystone response = req.get_response(self.application) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send ERROR keystone status, headers, app_iter = self.call_application( ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application ERROR keystone app_iter = application(self.environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/keystone/keystone/server/flask/request_processing/middleware/url_normalize.py", line 38, in __call__ ERROR keystone return self.app(environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 129, in __call__ ERROR keystone resp = self.call_func(req, *args, **kw) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/dec.py", line 193, in call_func ERROR keystone return self.func(req, *args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/keystonemiddleware/auth_token/__init__.py", line 340, in __call__ ERROR keystone response = req.get_response(self._app) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1313, in send ERROR keystone status, headers, app_iter = self.call_application( ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/webob/request.py", line 1278, in call_application ERROR keystone app_iter = application(self.environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/werkzeug/middleware/dispatcher.py", line 81, in __call__ ERROR keystone return app(environ, start_response) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1514, in wsgi_app ERROR keystone response = self.handle_exception(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone [Previous line repeated 28 more times] ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 295, in error_router ERROR keystone return self.handle_error(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 310, in handle_error ERROR keystone _handle_flask_propagate_exceptions_config(current_app, e) ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 1511, in wsgi_app ERROR keystone response = self.full_dispatch_request() ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 919, in full_dispatch_request ERROR keystone rv = self.handle_user_exception(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 298, in error_router ERROR keystone return original_handler(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^ ERROR keystone [Previous line repeated 28 more times] ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 295, in error_router ERROR keystone return self.handle_error(e) ERROR keystone ^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 310, in handle_error ERROR keystone _handle_flask_propagate_exceptions_config(current_app, e) ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 917, in full_dispatch_request ERROR keystone rv = self.dispatch_request() ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/app.py", line 902, in dispatch_request ERROR keystone return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return] ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 489, in wrapper ERROR keystone resp = resource(*args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask/views.py", line 110, in view ERROR keystone return current_app.ensure_sync(self.dispatch_request)(**kwargs) # type: ignore[no-any-return] ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/data/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 604, in dispatch_request ERROR keystone resp = meth(*args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/keystone/keystone/server/flask/common.py", line 1159, in wrapper ERROR keystone return f(*args, **kwargs) ERROR keystone ^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/keystone/keystone/api/auth.py", line 328, in post ERROR keystone token = authentication.authenticate_for_token(auth_data) ERROR keystone ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone File "/opt/stack/keystone/keystone/api/_shared/authentication.py", line 229, in authenticate_for_token ERROR keystone app_cred_id = token_auth['application_credential']['id'] ERROR keystone ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone KeyError: 'application_credential' ``` To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2111836/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
