Bug 878227

Summary: keystone endpoint-create doesn't validate input
Product: Red Hat OpenStack Reporter: Dan Yocum <dyocum>
Component: python-keystoneclientAssignee: Alan Pevec <apevec>
Status: CLOSED NOTABUG QA Contact: Ami Jeain <ajeain>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0 (Folsom)CC: ayoung, dpal, jlennox, mmagr, yeylon
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: 5.0 (RHEL 7)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-28 17:06:27 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Dan Yocum 2012-11-19 16:42:44 EST
Description of problem:
In ESSEX it is possible to break access to horizon (and probably other things) when attempting to manually create an invalid endpoint using 'keystone endpoint-create ...' with the wrong CLI options and possibly the wrong values passed to those options.

Version-Release number of selected component (if applicable):

Essex

How reproducible:

Every

Steps to Reproduce:
1.created an incompletely endpoint thusly (note: no publicurl, adminurl, and internalurl):

keystone endpoint-create --region RegionOne --service_id 6a0447de95554667
8dac94324c394956

2. Attempt to login via the horizon web UI
3.
  
Actual results:

Permission denied

Expected results:

Access granted

Additional info:

I've also opened this bug upstream: https://bugs.launchpad.net/keystone/+bug/1080862
Comment 3 RHEL Product and Program Management 2012-11-20 04:37:43 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 4 Dan Yocum 2012-11-20 11:01:03 EST
If this is fixed in Folsom, that's ok with me.
Comment 5 Martin Magr 2012-12-18 08:45:14 EST
Reopening since I did the same on Folsom:

[para@virtual-rhel-beta ~(keystone_admin)]$ keystone service-create --name=glance --type=image --description="Glance Image Service"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Glance Image Service       |
|      id     | ac82850b67284a6f954dca3498a04bb4 |
|     name    |              glance              |
|     type    |              image               |
+-------------+----------------------------------+
[para@virtual-rhel-beta ~(keystone_admin)]$ keystone endpoint-create --service_id ac82850b67284a6f954dca3498a04bb4
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |                                  |
|      id     | 7d6cec22e05b4777b485464d36fa12e5 |
| internalurl |                                  |
|  publicurl  |                                  |
|    region   |            regionOne             |
|  service_id | ac82850b67284a6f954dca3498a04bb4 |
+-------------+----------------------------------+

[para@virtual-rhel-beta ~(keystone_admin)]$ rpm -qa *keystone
openstack-keystone-2012.2.1-1.el6ost.noarch
python-keystone-2012.2.1-1.el6ost.noarch
Comment 6 Alan Pevec 2012-12-18 09:21:49 EST
(In reply to comment #5)
> Reopening since I did the same on Folsom:

But it doesn't "break access to horizon (and probably other things)" right?
Validation part is not critical, and would be inherited when fixed upstream.
Comment 7 Martin Magr 2013-04-29 04:11:24 EDT
No, it didn't break access to horizon. I agree that it's not critical.
Comment 8 Adam Young 2014-01-28 17:06:27 EST
Upstream NACK means this will not be fixed.  

It is not possible to validate the Endpoint, as the endpoint might not be available at time of creation.