OpenStack Identity (keystone)

token model assumes a token is is_admin_project

Bug #1652012 reported by Henry Nash
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Low
Unassigned

Bug Description

Our token model code will return a default of True for is_admin_project if that attribute is not defined [0]. The comment next to this says this is for backward compatibility - but this seems inherently dangerous. We should investigate what changes are needed (if any) to make the default False.

UPDATE: We need this to default to True for the time being while we deal
with #968696. Do not change this to False at this time.

[0] https://github.com/openstack/keystone/blob/686f9d583eaa5f015d6b8b995c2f4243392ffbce/keystone/models/token_model.py#L195-L198

See original description
Lance Bragstad (lbragstad)
description: updated
Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
Gage Hugo (gagehugo)
Changed in keystone:
assignee: nobody → Gage Hugo (gagehugo)
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/438035
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dc449dfd63c165cfa9c4600b82e5b392973a0e60
Submitter: Jenkins
Branch: master

commit dc449dfd63c165cfa9c4600b82e5b392973a0e60
Author: Gage Hugo <email address hidden>
Date: Fri Feb 24 12:26:41 2017 -0600

    Change is_admin_project to False by default

    Our token model code will return a default of True for
    is_admin_project if that attribute is not defined. The
    comment next to this says this is for backwards
    compatibility, but this seems inherently dangerous.

    Closes-Bug: #1652012

    Change-Id: I035fe570972764b9c9342d1851654634d681ac5e

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0b1

This issue was fixed in the openstack/keystone 12.0.0.0b1 development milestone.

Revision history for this message
Adam Young (ayoung) wrote :

This was a mistake.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

This was reverted - https://github.com/openstack/keystone/commit/4a82ab9065a659bbcb838240da113a0509f651aa

Changed in keystone:
status: Fix Released → In Progress
milestone: pike-1 → none
Gage Hugo (gagehugo)
description: updated
Lance Bragstad (lbragstad)
Changed in keystone:
status: In Progress → Triaged
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Gage Hugo (gagehugo) → nobody
Revision history for this message
Lance Bragstad (lbragstad) wrote :

This isn't an issue anymore since we overhauled the token model during Rocky and simplified the entire token provider API. The new token model [0] doesn't have a property for is_admin_project, so it can't default to True or False. The code to translate an instance of a token model to a v3 API response has logic to derive is_admin_project, but it's configuration driven [1].

I think it's safe to close this.

[0] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py#n33
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/render_token.py#n94

Changed in keystone:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.