OpenStack Identity (keystone)

Support for multiple tenants in token scope in JSON

Bug #906442 reported by Ziad Sawalha
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Ziad Sawalha
OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

In XML, we can return multiple <tenant/> tags when a token is scoped to multiple tenants. In JSON, however,we don't have support for that since we spec {"tenant": {}}.

Instead, we need to return
{"tenants": [{}, {}, {}]}
so we can return multiple tenants.

We will add this to the spec and keep the old "tenant" tag for compatibility until the next version of the API (tracked here https://bugs.launchpad.net/keystone/+bug/909543).

See original description
Ziad Sawalha (ziad-sawalha)
Changed in keystone:
milestone: none → essex-3
status: New → Confirmed
Ziad Sawalha (ziad-sawalha)
Changed in keystone:
importance: Undecided → High
Revision history for this message
Anthony Young (sleepsonthefloor) wrote :

Hey Ziad - a couple questions about this. How would a user create a multi-scoped token? The apis I'm aware of allow for either unscoped or singular scoping of tokens. Also, can you explain your use case that motivates this?

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

Changing the response from tenant to tenants would break all existing clients.

Revision history for this message
Devin Carlen (devcamcar) wrote :

I'd really rather see functionality like this go into the "F" release instead of breaking existing clients again during Essex.

Revision history for this message
Ziad Sawalha (ziad-sawalha) wrote :

OK. I'll create a separate big or bp to track that for F.

description: updated
Revision history for this message
Ziad Sawalha (ziad-sawalha) wrote :

Anthony (sleepsonthefloor) - this is not a use case that the Keystone implementation currently supports. Keep in mind that Keystone is only one possible implementation of the spec.

The spec does not constrain the number of tenants that a token is scoped to on initial auth.

One implementation is Rackspace auth where a token is by default scoped to two tenants.

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

In the spec:

{
"auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
},
        "tenantName":"customer-x"
    }
}

and:

{
"auth": {
    "passwordCredentials": {
      "username": "test_user",
      "password": "mypass"
},
    "tenantId": "1234"
  }
}

That looks like it is scoping to a single tenant. It sounds like rackspace has an extension that allows scoping to multiple?

Joe Savak (jsavak)
Changed in keystone:
assignee: nobody → Ziad Sawalha (ziad-sawalha)
Revision history for this message
Ziad Sawalha (ziad-sawalha) wrote :

@anotherjesse: not really. There is no extension. The token you get back when you make an auth call without scoping to a tenant has access to two tenants by default (similar to how default tenant works in Keystone).
We did not add support for scope to more than one tenant when authenticating in the spec, which is fine for this version. That is not changing.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/2875

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/2875
Committed: http://github.com/openstack/keystone/commit/3f70358bc3c893c6e85e9a0ee87d835fb54619ef
Submitter: Jenkins
Branch: master

commit 3f70358bc3c893c6e85e9a0ee87d835fb54619ef
Author: Ziad Sawalha <email address hidden>
Date: Fri Jan 6 11:18:06 2012 -0600

    Add 'tenants' to Auth & Validate Response

    - Addresses bug 906442
    - Preserves compatibility (keeps 'tenant')
    - No changes in XML (this is a json-only gap)

    Change-Id: Ia6f373d0c7e40b05892c6cdffeed8d1e4b6f65ca

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-3 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.