Public bug reported: Fresh-ish devstack,
authorize as domain user: ❯ openstack token issue -fyaml domain_id: default expires: 2025-10-09T13:51:15+0000 id: ... user_id: 0bb0013247374b6cb8b2e4c369f3086f try to create app creds ❯ openstack application credential create breakme BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' now all operations with appcreds are broken for this user ❯ openstack application credential list BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' deleting by name/via CLI also does not work as it does the same list somewhere to resolve name to id ❯ openstack application credential delete breakme Failed to delete application credential with name or ID 'breakme': BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' 1 of 1 application credentials failed to delete. if you peek into DB, you see an appcred w/o a project id was successfully stored in DB MySQL [email protected]:(none)> select * from keystone.application_credential where project_id is NULL\G ***************************[ 1. row ]*************************** internal_id | 3 id | f5d6ab4298c4467e853e8510ba56ecf7 name | breakme secret_hash | $2b$04$YhMkjUMmTheSxXeEsYcQA.tFYA45POfYiRrqaw0iv7V.F3ptLajM2 description | <null> user_id | 0bb0013247374b6cb8b2e4c369f3086f project_id | <null> expires_at | <null> system | <null> unrestricted | 0 only now, using this UUID and direct API call you can delete those and restore functionality for this user ❯ os-https DELETE keystone/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials/f5d6ab4298c4467e853e8510ba56ecf7 HTTP/1.1 204 NO CONTENT Connection: close Date: Thu, 09 Oct 2025 12:59:19 GMT Server: Apache/2.4.58 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-bbc51e52-785a-440a-a5a7-025a24c629cf ❯ openstack application credential list --print-empty -fjson [] AFAIU what happens is that not enforcing scope allows a domain-scoped request to sneak thru and create the broken appcred, and already when response is formatted, its jsonschema validation fails on project id being NULL/None. The same happens on any GET etc request, the response validation fails. We need to do a better check, have the project id field non-nullable so you can't even store a broken appcred, and have some validation during appcreds create to return 403 or 400 instead of 500. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2127188 Title: domain user can create broken app creds when enforce scope is disabled Status in OpenStack Identity (keystone): New Bug description: Fresh-ish devstack, authorize as domain user: ❯ openstack token issue -fyaml domain_id: default expires: 2025-10-09T13:51:15+0000 id: ... user_id: 0bb0013247374b6cb8b2e4c369f3086f try to create app creds ❯ openstack application credential create breakme BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' now all operations with appcreds are broken for this user ❯ openstack application credential list BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' deleting by name/via CLI also does not work as it does the same list somewhere to resolve name to id ❯ openstack application credential delete breakme Failed to delete application credential with name or ID 'breakme': BadRequestException: 400: Client Error for url: https://192.168.100.191/identity/v3/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials, Invalid input for field/attribute project_id. Value: None. None is not of type 'string' 1 of 1 application credentials failed to delete. if you peek into DB, you see an appcred w/o a project id was successfully stored in DB MySQL [email protected]:(none)> select * from keystone.application_credential where project_id is NULL\G ***************************[ 1. row ]*************************** internal_id | 3 id | f5d6ab4298c4467e853e8510ba56ecf7 name | breakme secret_hash | $2b$04$YhMkjUMmTheSxXeEsYcQA.tFYA45POfYiRrqaw0iv7V.F3ptLajM2 description | <null> user_id | 0bb0013247374b6cb8b2e4c369f3086f project_id | <null> expires_at | <null> system | <null> unrestricted | 0 only now, using this UUID and direct API call you can delete those and restore functionality for this user ❯ os-https DELETE keystone/users/0bb0013247374b6cb8b2e4c369f3086f/application_credentials/f5d6ab4298c4467e853e8510ba56ecf7 HTTP/1.1 204 NO CONTENT Connection: close Date: Thu, 09 Oct 2025 12:59:19 GMT Server: Apache/2.4.58 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-bbc51e52-785a-440a-a5a7-025a24c629cf ❯ openstack application credential list --print-empty -fjson [] AFAIU what happens is that not enforcing scope allows a domain-scoped request to sneak thru and create the broken appcred, and already when response is formatted, its jsonschema validation fails on project id being NULL/None. The same happens on any GET etc request, the response validation fails. We need to do a better check, have the project id field non-nullable so you can't even store a broken appcred, and have some validation during appcreds create to return 403 or 400 instead of 500. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2127188/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
