Bug 1102303 - Multiple domain scopes interfere with each other
Summary: Multiple domain scopes interfere with each other
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 2.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Luke Meyer
QA Contact: libra bugs
URL:
Whiteboard:
Depends On: 1102273
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-28 17:36 UTC by Brenton Leanhardt
Modified: 2014-06-23 07:38 UTC (History)
8 users (show)

Fixed In Version: rubygem-openshift-origin-controller-1.23.10.2-1.el6op
Doc Type: Bug Fix
Doc Text:
If an authorization token was created containing scopes for multiple domains, it was possible for the domain scopes to interfere with each other and cause queries using the token to not return the full list of authorized applications. This bug fix adds logic to ensure that queries are accurately returned when using authorization tokens with multiple domain scopes.
Clone Of: 1102273
Environment:
Last Closed: 2014-06-23 07:38:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0781 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 2.1.2 bug fix update 2014-06-23 11:36:38 UTC

Description Brenton Leanhardt 2014-05-28 17:36:44 UTC 
+++ This bug was initially created as a clone of Bug #1102273 +++

Description of problem:

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create three domains, each containing an application (with id's '1', '2', and '3' for example)
2. Create an authorization token containing view scopes for two of the domains: 
"domain/1/view domain/2/view"
3. Using the auth token, GET "/broker/rest/domains".
4. Using the auth token, GET "/broker/rest/applications".

Actual results:
Two domains are returned
One application is returned

Expected results:
Two domains are returned
Two applications are returned


Additional info:

--- Additional comment from Jordan Liggitt on 2014-05-28 13:32:44 EDT ---

Will merge in https://github.com/openshift/origin-server/pull/5455
Comment 1 Luke Meyer 2014-05-29 16:40:42 UTC 
https://github.com/openshift/enterprise-server/pull/283
Comment 5 Yanping Zhang 2014-06-11 07:03:30 UTC 
    Verified on 2.1.z/2014-06-10.3
     
    Steps to verify:
    1.Create 3 domains each with one app(such as app1, app2, app3 seperately in dom1,dom2,dom3)
    2.Add view token to two domains (such as dom2,dom3)
    #  rhc authorization-add --scope "domain/5397fa07db26c85e6f0000a0/view domain/5397fa7cdb26c85e6f0000a1/view" --note viewtest --expire-in 3600
    3.Retrieve all domains using the generated token
    # curl -k -s -H 'Authorization:Bearer d3f912e6be79422bda953c149719cef3eb1c3228650dfc9e1286eded1a5ebab7' https://10.3.15.45/broker/rest/domains |json_reformat
    4.Retrieve all apps using the generated token
    # curl -k -s -H 'Authorization:Bearer d3f912e6be79422bda953c149719cef3eb1c3228650dfc9e1286eded1a5ebab7' https://10.3.15.45/broker/rest/applications |json_reformat
     
    Actual results:
    3.Found 2 domains
    4.Found 2 apps
Comment 6 Luke Meyer 2014-06-12 17:19:21 UTC 
commit fbaeb790ca288e5585da1a16350acdf7fd4b6952
Commit:     Luke Meyer <lmeyer>
CommitDate: Thu May 29 12:03:03 2014 -0400

    broker: Make domain scopes additive #cherrypick

    origin-server:
    https://bugzilla.redhat.com/show_bug.cgi?id=1102273
    commit 748f6211b5e178fa1fe7717bc739a6edfc287886
    Author: Jordan Liggitt <jliggitt>
    Date:   Wed May 28 11:38:50 2014 -0400

        Bug 1102273: Make domain scopes additive


and...

commit 055e592b6d219c3f8779d61e234eac3d216909ab
Commit:     Luke Meyer <lmeyer>
CommitDate: Thu May 29 12:06:13 2014 -0400

    broker: Ensure at least one scope's conditions are met #cherrypick

    origin-server:
    https://bugzilla.redhat.com/show_bug.cgi?id=1102273
    commit 57035eab8aa3aedb57a85a12de0d561a55651713
    Author: Jordan Liggitt <jliggitt>
    Date:   Wed May 28 12:41:11 2014 -0400

        Ensure at least one scope's conditions are met, even when combined with complex queries
Comment 8 errata-xmlrpc 2014-06-23 07:38:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0781.html
Note You need to log in before you can comment on or make changes to this bug.