Bug 1102303

Summary: Multiple domain scopes interfere with each other
Product: OpenShift Container Platform Reporter: Brenton Leanhardt <bleanhar>
Component: NodeAssignee: Luke Meyer <lmeyer>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1.0CC: adellape, cryan, jialiu, jliggitt, jokerman, libra-onpremise-devel, mmccomas, yanpzhan
Target Milestone: ---Keywords: Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-controller-1.23.10.2-1.el6op Doc Type: Bug Fix
Doc Text:
If an authorization token was created containing scopes for multiple domains, it was possible for the domain scopes to interfere with each other and cause queries using the token to not return the full list of authorized applications. This bug fix adds logic to ensure that queries are accurately returned when using authorization tokens with multiple domain scopes.
 Story Points: ---
Clone Of: 1102273 Environment:
Last Closed: 2014-06-23 07:38:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1102273    
Bug Blocks:    

Description Brenton Leanhardt 2014-05-28 17:36:44 UTC 
+++ This bug was initially created as a clone of Bug #1102273 +++

Description of problem:

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create three domains, each containing an application (with id's '1', '2', and '3' for example)
2. Create an authorization token containing view scopes for two of the domains: 
"domain/1/view domain/2/view"
3. Using the auth token, GET "/broker/rest/domains".
4. Using the auth token, GET "/broker/rest/applications".

Actual results:
Two domains are returned
One application is returned

Expected results:
Two domains are returned
Two applications are returned


Additional info:

--- Additional comment from Jordan Liggitt on 2014-05-28 13:32:44 EDT ---

Will merge in https://github.com/openshift/origin-server/pull/5455
Comment 1 Luke Meyer 2014-05-29 16:40:42 UTC 
https://github.com/openshift/enterprise-server/pull/283
Comment 5 Yanping Zhang 2014-06-11 07:03:30 UTC 
    Verified on 2.1.z/2014-06-10.3
     
    Steps to verify:
    1.Create 3 domains each with one app(such as app1, app2, app3 seperately in dom1,dom2,dom3)
    2.Add view token to two domains (such as dom2,dom3)
    #  rhc authorization-add --scope "domain/5397fa07db26c85e6f0000a0/view domain/5397fa7cdb26c85e6f0000a1/view" --note viewtest --expire-in 3600
    3.Retrieve all domains using the generated token
    # curl -k -s -H 'Authorization:Bearer d3f912e6be79422bda953c149719cef3eb1c3228650dfc9e1286eded1a5ebab7' https://10.3.15.45/broker/rest/domains |json_reformat
    4.Retrieve all apps using the generated token
    # curl -k -s -H 'Authorization:Bearer d3f912e6be79422bda953c149719cef3eb1c3228650dfc9e1286eded1a5ebab7' https://10.3.15.45/broker/rest/applications |json_reformat
     
    Actual results:
    3.Found 2 domains
    4.Found 2 apps
Comment 6 Luke Meyer 2014-06-12 17:19:21 UTC 
commit fbaeb790ca288e5585da1a16350acdf7fd4b6952
Commit:     Luke Meyer <lmeyer>
CommitDate: Thu May 29 12:03:03 2014 -0400

    broker: Make domain scopes additive #cherrypick

    origin-server:
    https://bugzilla.redhat.com/show_bug.cgi?id=1102273
    commit 748f6211b5e178fa1fe7717bc739a6edfc287886
    Author: Jordan Liggitt <jliggitt>
    Date:   Wed May 28 11:38:50 2014 -0400

        Bug 1102273: Make domain scopes additive


and...

commit 055e592b6d219c3f8779d61e234eac3d216909ab
Commit:     Luke Meyer <lmeyer>
CommitDate: Thu May 29 12:06:13 2014 -0400

    broker: Ensure at least one scope's conditions are met #cherrypick

    origin-server:
    https://bugzilla.redhat.com/show_bug.cgi?id=1102273
    commit 57035eab8aa3aedb57a85a12de0d561a55651713
    Author: Jordan Liggitt <jliggitt>
    Date:   Wed May 28 12:41:11 2014 -0400

        Ensure at least one scope's conditions are met, even when combined with complex queries
Comment 8 errata-xmlrpc 2014-06-23 07:38:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0781.html