Bug 1346886 - Keystone is not properly looking up the domain_id
Summary: Keystone is not properly looking up the domain_id
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-15 14:39 UTC by Eduard Barrera
Modified: 2020-04-15 14:32 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-11 15:38:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1592988 0 None None None 2016-06-24 17:40:49 UTC

Description Eduard Barrera 2016-06-15 14:39:32 UTC 
Description of problem:


Keystone is not properly looking up the domain_id, please check the highlighted log lines


# openstack project create --domain my_domain my_domain_project1
 
2016-06-15 04:52:06.795 9535 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:223
2016-06-15 04:52:06.798 9535 INFO keystone.common.wsgi [-] POST http://192.168.101.196:5000/v3/auth/tokens
 
2016-06-15 04:52:06.897 9535 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:223
2016-06-15 04:52:06.899 9535 INFO keystone.common.wsgi [-] POST http://192.168.101.196:5000/v3/auth/tokens
2016-06-15 04:52:06.978 14354 INFO keystone.common.wsgi [-] GET http://192.168.101.196:35357/
2016-06-15 04:52:06.986 14354 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'7f603b47d9a14ed2aa4f10d0182c2e3e', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=pz2LieBES-Wtv7Q9ftxI_g, audit_chain_id=pz2LieBES-Wtv7Q9ftxI_g) at 0x7f06181dc250>, 'access_token_id': None, 'domain_id': u'2e25369784564c508fdb51903ce98368', 'trust_id': None} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:233
2016-06-15 04:52:06.988 14354 INFO keystone.common.wsgi [-] GET http://192.168.101.196:35357/v3/domains/my_domain
2016-06-15 04:52:06.988 14354 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:get_domain(domain_id=my_domain) _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:61

<=======================

2016-06-15 04:52:06.989 14354 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:66
2016-06-15 04:52:06.992 14354 WARNING keystone.common.wsgi [-] Could not find domain: my_domain
2016-06-15 04:52:07.000 14354 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'7f603b47d9a14ed2aa4f10d0182c2e3e', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=pz2LieBES-Wtv7Q9ftxI_g, audit_chain_id=pz2LieBES-Wtv7Q9ftxI_g) at 0x7f062f3e1020>, 'access_token_id': None, 'domain_id': u'2e25369784564c508fdb51903ce98368', 'trust_id': None} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:233
2016-06-15 04:52:07.002 14354 INFO keystone.common.wsgi [-] GET http://192.168.101.196:35357/v3/domains?name=my_domain
2016-06-15 04:52:07.002 14354 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:list_domains() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:61
2016-06-15 04:52:07.002 14354 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:66
2016-06-15 04:52:07.003 14354 DEBUG keystone.common.controller [-] RBAC: Adding query filter params (name=my_domain) wrapper /usr/lib/python2.7/site-packages/keystone/common/controller.py:193
2016-06-15 04:52:07.003 14354 DEBUG keystone.policy.backends.rules [-] enforce identity:list_domains: {'is_delegated_auth': False, 'user_id': u'7f603b47d9a14ed2aa4f10d0182c2e3e', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=pz2LieBES-Wtv7Q9ftxI_g, audit_chain_id=pz2LieBES-Wtv7Q9ftxI_g) at 0x7f062f3e1020>, 'access_token_id': None, 'domain_id': u'2e25369784564c508fdb51903ce98368', 'trust_id': None} enforce /usr/lib/python2.7/site-packages/keystone/policy/backends/rules.py:76
2016-06-15 04:52:07.005 14354 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_domains (Disable debug mode to suppress these details.)
 
<===========================
 
2016-06-15 04:52:07.017 14354 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'7f603b47d9a14ed2aa4f10d0182c2e3e', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=pz2LieBES-Wtv7Q9ftxI_g, audit_chain_id=pz2LieBES-Wtv7Q9ftxI_g) at 0x7f0618186bf0>, 'access_token_id': None, 'domain_id': u'2e25369784564c508fdb51903ce98368', 'trust_id': None} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:233
2016-06-15 04:52:07.021 14354 INFO keystone.common.wsgi [-] POST http://192.168.101.196:35357/v3/projects
2016-06-15 04:52:07.021 14354 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_project(project={u'enabled': True, u'domain_id': u'my_domain', u'name': u'my_domain_project1'}) _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:61
Version-Release number of selected component (if applicable):
<============================


Using the domain_id wotrkarounded the problem


#  openstack project create --domain 2e25369784564c508fdb51903ce98368  my_domain_project1


How reproducible:


Steps to Reproduce:
1. create a project inside a domain 
2.
3.

Actual results:
it fails

Expected results:
project created successfuly

Additional info:

# rpm -qa | egrep keystone
python-keystonemiddleware-1.5.1-1.el7ost.noarch
openstack-keystone-2015.1.2-2.el7ost.noarch
python-keystoneclient-1.3.0-2.el7ost.noarch
python-keystone-2015.1.2-2.el7ost.noarch
Comment 2 Adam Young 2016-06-15 21:09:09 UTC 
This is actually cause by the keystoneclient library as called by openstack client.
Comment 3 Alan Pevec 2017-03-01 01:05:22 UTC 
As explained in the upstream bug https://bugs.launchpad.net/bugs/1592988 listing domains is privileged operation in the default RBAC policy causing:
"You are not authorized to perform the requested action: identity:list_domains"
Comment 7 Derek 2019-01-24 20:48:20 UTC 
Nathan, per your comment #5, does that issue still exist for us to document in OSP 8,9,10, and/or 13?   Looking to get this closed properly and we'll make the changes in those releases if it is still applicable there.  But OSP 7 is EOL.
Comment 8 Martin Lopes 2019-05-13 10:01:45 UTC 
Adding needinfo to Nathan for comment 7.
Comment 10 Chuck Copello 2019-12-11 15:38:13 UTC 
Closing WONTFIX; no updates for 2 years.
Note You need to log in before you can comment on or make changes to this bug.