GET /v2.0/tokens/{token_id}/endpoints not implemented

Bug #1006777 reported by Jason Xu
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Dolph Mathews

Bug Description

GET /tokens/{token_id}/endpoints:

{
"error": { "message": "The action you have requested has not been implemented.", "code": 501, "title": null }
}

Expected Response: http://keystone.openstack.org/api_curl_examples.html#get-tokens-token-id-endpoints

Version: 2012.1

Revision history for this message
Joseph Heck (heckj) wrote :

Jason -

What token backing store responded with the NotImplmented response? (In particular, what's the value of "driver" under [token] in your keystone configuration?

This is a potentially valid response if the backing store for the token never implemented that part of the API.

Changed in keystone:
status: New → Incomplete
Revision history for this message
Jason Xu (yinyangxu) wrote :

[token]
driver = keystone.token.backends.kvs.Token

I debugged the code and found the following method called.

keystone/keystone/service.py
420 def endpoints(self, context, token_id):
421 """Return a list of endpoints available to the token."""
422 raise exception.NotImplemented()

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
Revision history for this message
Dolph Mathews (dolph) wrote :

The relevant implementation was intentionally removed in bug 933555; the call should be implemented correctly moving forward.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Expired → Confirmed
summary: - GET /tokens/{token_id}/endpoints not implemented
+ GET /v2.0/tokens/{token_id}/endpoints not implemented
Revision history for this message
Dolph Mathews (dolph) wrote :
Revision history for this message
Dolph Mathews (dolph) wrote :

Example request/responses are below.

GET http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
=================================================================================

Accept: application/json
X-Auth-Token: ADMIN

200 OK
======

Status: 200
Content-Length: 273
Content-Location: http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
Vary: X-Auth-Token
Date: Thu, 06 Sep 2012 14:30:03 GMT
Content-Type: application/json

{
  "endpoints": [
    {
      "name": "Nova",
      "adminURL": "http://admin.openstack/nova",
      "region": "north",
      "internalURL": "http://internal.openstack/nova",
      "type": "compute",
      "id": "8c3426bd730c48f5b59527df3a51b901",
      "publicURL": "http://public.openstack/nova"
    }
  ],
  "endpoints_links": []
}

GET http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
=================================================================================

Accept: application/xml
X-Auth-Token: ADMIN

200 OK
======

Status: 200
Content-Length: 335
Content-Location: http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
Vary: X-Auth-Token
Date: Thu, 06 Sep 2012 14:30:05 GMT
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<endpoints xmlns="http://docs.openstack.org/identity/api/v2.0">
  <endpoint name="Nova" adminURL="http://admin.openstack/nova" region="north" internalURL="http://internal.openstack/nova" type="compute" id="8c3426bd730c48f5b59527df3a51b901" publicURL="http://public.openstack/nova"/>
</endpoints>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12499

Changed in keystone:
status: Confirmed → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Joseph Heck (heckj)
Changed in keystone:
importance: Medium → Critical
milestone: none → folsom-rc1
Revision history for this message
Joseph Heck (heckj) wrote :

[08:39am] ttx: user A has a token for tenant B. Admin of tenant C grants A access to C, effectively disabling the token A had for B ?
[08:39am] dolphm: ttx: sure, the user can just re-auth though
[08:39am] ttx: dolphm: letting /anyone/ disabling any token sounds a bit... abusive to me
[08:39am] ttx: and potentially something a bad guy would want to do
[08:40am] ayoung: dolphm, why not filter the list by tenant_id?
[08:40am] ttx: not very critical in its effect, for sure
[08:40am] dolphm: ttx: "anyone" being any admin, and "any token" being for a specific user

Revision history for this message
Joseph Heck (heckj) wrote :

[08:43am] ttx: dolphm: oh. So a random user can't become the "admin" of a tenant and grant random users access to his tenant ?
[08:43am] dolphm: ttx: not in identity api v2 / current keystone impl
[08:43am] ttx: dolphm: you have to be the god of all keystone to grant roles ? In which case I agree there is no vector
[08:43am] ttx: and no impact
[08:43am] heckj: ttx: with the V2 API, that's correct

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/12499
Committed: http://github.com/openstack/keystone/commit/b6e568ede0d5e7abae69b28920f33f95be6190b5
Submitter: Jenkins
Branch: master

commit b6e568ede0d5e7abae69b28920f33f95be6190b5
Author: Dolph Mathews <email address hidden>
Date: Thu Sep 6 08:15:06 2012 -0500

    Implement token endpoint list (bug 1006777)

    Change-Id: Ia7dad06ec763994ce0beb171c481ab01c20af6cb

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Dolph Mathews (dolph) wrote :

For future reference, comment #8 and comment #9 were attached to the wrong bug number.

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.