OpenStack Identity (keystone)

Auth protocol doesn't work properly for admin users

Bug #857671 reported by Anthony Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Yogeshwar
OpenStack Identity (keystone) diablo-4

Bug Description

At present, keystone returns all tenants for admin users, which prevents us from implementing the auth protocol as described here: http://stsh.me/lL . This is how the protocol is supposed to work:

* Create unscoped token UTOKEN using auth(username, password)
* Use UTOKEN to get a TENANT_LIST
* From TENANT_LIST choose TENANT
* Use auth(UTOKEN, TENANT) to get SCOPEDTOKEN

For admin users, TENANT_LIST may include tenants of which they are not members. Thus, auth(UTOKEN, NOTMYTENANT) will fail for those tenants.

Some strategies to fix this include:
* return a user-scoped list of tenants to admin users when they use publicURL or internalURL (I like this one!)
* Let admins switch between tenants freely even if they are not members (this still leaves initial auth complex)
* allow admins to filter the list ala nova's get /servers api

Revision history for this message
Joe Savak (jsavak) wrote :

From an internal URL, can it return all tenants but for a public URL return only the user-scoped tenants?

I'm not 100% sure why it's returning all tenants right now and am checking on that.

Also, Anthony - is this a showstopper for Dashboard diablo?

Revision history for this message
Anthony Young (sleepsonthefloor) wrote :

At the moment, dashboard uses the adminURL when connecting to openstack for admin functions, and internalURL otherwise. My understanding is that internalURL is usually just a privately addressed version of publicURL, which provides for network efficiency. If that's true, than I'd think that either internalURL or publicURL would provide user-scoped tenants.

Ideally we should get this fixed for dashboard diablo, as there are a variety of hacks and bugs that exist because of this issue. In particular, there is a hack in place for admin login that iteratively requests a user list for every tenant that is returned to verify that the admin user is indeed a member of that tenant. In a production environment with lots of users and tenants, that is going to behave very poorly.

Revision history for this message
Yogeshwar (yogesh-srikrishnan) wrote :

Hi Anthony

This is how I am planning to fix.

User performs Get Tenants call using Admin Token.

=> On internal URL he gets list of all tenants that key stone has.However he cannot authenticate against each of those tenants and get a token for them. His authenticate call would be applicable only for tenants on which he has a role membership.

=> On public URL just like every other user he would get the list of tenants which have a role association.He could authenticate against each of his tenant that is returned.

Revision history for this message
Anthony Young (sleepsonthefloor) wrote :

Is there a reason to use internalURL for this instead of adminURL? internalURL seems pretty useful as a privately addressed version of publicURL.

Revision history for this message
Yogeshwar (yogesh-srikrishnan) wrote :

sorry. Should have mentioned admin url (intenal url calls would behave exactly like the public url).

Revision history for this message
Anthony Young (sleepsonthefloor) wrote :

ah ok sounds good

Revision history for this message
Yogeshwar (yogesh-srikrishnan) wrote :

Hi Anthony
Have committed the fix exhibiting the behavior as outlined.
https://review.openstack.org/#change,725

Could check the behavior and close the bug if it fulfills what you asked for.

Regards

Yogeshwar (yogesh-srikrishnan)
Changed in keystone:
status: New → Fix Committed
Revision history for this message
Anthony Young (sleepsonthefloor) wrote :

Hey Yogi,

I spent some time integrating with dashboard, and the changes look good. Thanks for your help.

Yogeshwar (yogesh-srikrishnan)
Changed in keystone:
status: Fix Committed → Confirmed
status: Confirmed → Fix Committed
Revision history for this message
Yogeshwar (yogesh-srikrishnan) wrote :

Thanks Anthony for the feedback.

Changed in keystone:
status: Fix Committed → Fix Released
milestone: none → diablo-4
assignee: nobody → Yogeshwar (yogesh-srikrishnan)
Yogeshwar (yogesh-srikrishnan)
Changed in keystone:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.