OpenStack Identity (keystone)

[api] The param "X-Subject-Token" is not needed in API "GET /v3/auth/projects"

Bug #1667194 reported by ZhangHongtao
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Kristi Nikolla
OpenStack Identity (keystone) pike-1 "pike-1"

Bug Description

In the API guide about "GET /v3/auth/projects", request param "X-Subject-Token" is needed and the description is "The authentication token. An authentication response returns the token ID in this header rather than in the response body.".
    But, this API call returns the list of projects that are available to be scoped to based on the X-Auth-Token provided in the request, "X-Subject-Token" is needless.Otherwise, the description about request param "X-Auth-Token" says "A valid authentication token for an administrative user.", it is wrong, this API need not admin permission.

For example:

[root@newton ~]# openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 0f1d08247293493487eef8e75d7a2026 | glance |
| 1f5d5b4c4b474550bb6c1038a127a9dc | alt_demo |
| 2580828c8b2346fc90125ccbdfa35e4f | nova |
| 4bf88609b3594388aee89219d402c676 | cinder |
| 8c1e33157bd242ff9a80e4ddf026897d | neutron |
| d3751d1b99a24adbbb447a6a7a3ec67b | demo |
| e18f6644b2534d51946712c69099a71e | admin |
+----------------------------------+----------+
[root@newton ~]#
[root@newton ~]#
[root@newton ~]# openstack user create test
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | bc4a40549c074df8a320c19cba9f59d4 |
| name | test |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@newton ~]# openstack project create test-project
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 42e84e39c3c34b6cbef39045fad7d46b |
| is_domain | False |
| name | test-project |
| parent_id | default |
+-------------+----------------------------------+
[root@newton ~]# openstack role create test-role
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1ba4a059c608410a986254efa333c352 |
| name | test-role |
+-----------+----------------------------------+
[root@newton ~]# openstack role add --user bc4a40549c074df8a320c19cba9f59d4 --project 42e84e39c3c34b6cbef39045fad7d46b 1ba4a059c608410a986254efa333c352
[root@newton ~]# openstack role assignment list | grep bc4a40549c074df8a320c19cba9f59d4
| 1ba4a059c608410a986254efa333c352 | bc4a40549c074df8a320c19cba9f59d4 | | 42e84e39c3c34b6cbef39045fad7d46b | | False |
[root@newton ~]# export ADMIN_TOKEN=`openstack token issue -c id -f value`
[root@newton ~]# openstack user set --password 123 bc4a40549c074df8a320c19cba9f59d4
[root@newton ~]# export TEST_TOKEN=`curl -si -d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"domain":{"name":"Default"},"name":"test","password":"123"}}},"scope":{"project":{"domain":{"name":"Default"},"name":"test-project"}}}}' -H "Content-type: application/json" http://192.168.51.188:35357/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`
[root@newton ~]#
[root@newton ~]# echo $ADMIN_TOKEN
f5b0e5bb89d44ec38c9e5102e7a20fdb
[root@newton ~]# echo $TEST_TOKEN
c30e3c7a5b56455da04c493624b64805
[root@newton ~]# curl -s -H "Content-type: application/json" -H "X-Auth-Token: f5b0e5bb89d44ec38c9e5102e7a20fdb" -H "X-Subject-Token: 00862092ecc54ed890694377ed3e0010" http://192.168.51.188:35357/v3/auth/projects | python -m json.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://192.168.51.188/identity/v3/auth/projects"
    },
    "projects": [
        {
            "description": "Bootstrap project for initializing the cloud.",
            "domain_id": "default",
            "enabled": true,
            "id": "197ec32558754c84993d5d999e40f3d5",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/197ec32558754c84993d5d999e40f3d5"
            },
            "name": "admin",
            "parent_id": "default"
        },
        {
            "description": "",
            "domain_id": "default",
            "enabled": true,
            "id": "7adcaac45b3449d68a3d9d9c32701b40",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/7adcaac45b3449d68a3d9d9c32701b40"
            },
            "name": "alt_demo",
            "parent_id": "default"
        },
        {
            "description": "",
            "domain_id": "default",
            "enabled": true,
            "id": "8f70581e91df49bfb12ad5fe033844e8",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/8f70581e91df49bfb12ad5fe033844e8"
            },
            "name": "demo",
            "parent_id": "default"
        }
    ]
}
[root@newton ~]#
[root@newton ~]# curl -s -H "Content-type: application/json" -H "X-Auth-Token: f5b0e5bb89d44ec38c9e5102e7a20fdb" http://192.168.51.188:35357/v3/auth/projects | python -m json.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://192.168.51.188/identity/v3/auth/projects"
    },
    "projects": [
        {
            "description": "Bootstrap project for initializing the cloud.",
            "domain_id": "default",
            "enabled": true,
            "id": "197ec32558754c84993d5d999e40f3d5",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/197ec32558754c84993d5d999e40f3d5"
            },
            "name": "admin",
            "parent_id": "default"
        },
        {
            "description": "",
            "domain_id": "default",
            "enabled": true,
            "id": "7adcaac45b3449d68a3d9d9c32701b40",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/7adcaac45b3449d68a3d9d9c32701b40"
            },
            "name": "alt_demo",
            "parent_id": "default"
        },
        {
            "description": "",
            "domain_id": "default",
            "enabled": true,
            "id": "8f70581e91df49bfb12ad5fe033844e8",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/8f70581e91df49bfb12ad5fe033844e8"
            },
            "name": "demo",
            "parent_id": "default"
        }
    ]
}
[root@newton ~]#
[root@newton ~]# curl -s -H "Content-type: application/json" -H "X-Auth-Token: 00862092ecc54ed890694377ed3e0010" http://192.168.51.188:35357/v3/auth/projects | python -m json.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://192.168.51.188/identity/v3/auth/projects"
    },
    "projects": [
        {
            "description": "",
            "domain_id": "default",
            "enabled": true,
            "id": "42e84e39c3c34b6cbef39045fad7d46b",
            "is_domain": false,
            "links": {
                "self": "http://192.168.51.188/identity/v3/projects/42e84e39c3c34b6cbef39045fad7d46b"
            },
            "name": "test-project",
            "parent_id": "default"
        }
    ]
}
[root@newton ~]#

See original description
ZhangHongtao (zhanghongtao)
description: updated
ZhangHongtao (zhanghongtao)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/437973

Changed in keystone:
assignee: nobody → Kristi Nikolla (knikolla)
status: New → In Progress
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → pike-1
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/437973
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=df139efda5345d5c388bc55f400c04f266e51fc3
Submitter: Jenkins
Branch: master

commit df139efda5345d5c388bc55f400c04f266e51fc3
Author: Kristi Nikolla <email address hidden>
Date: Fri Feb 24 11:23:17 2017 -0500

    Remove x-subject-token in api-ref for v3/auth/{projects,domains}

    Only x-auth-token is required for these api calls, but the
    api-ref mentions x-subject-token as required also.
    This fixes that by removing x-subject-token from the call docs.

    Change-Id: Ib30a71b81939b11363aced4aecd545049c210380
    Closes-Bug: 1667194

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0b1

This issue was fixed in the openstack/keystone 12.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.