This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 878227 - keystone endpoint-create doesn't validate input
keystone endpoint-create doesn't validate input
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneclient (Show other bugs)
2.0 (Folsom)
All Linux
unspecified Severity medium
: ---
: 5.0 (RHEL 7)
Assigned To: Alan Pevec
Ami Jeain
: Reopened, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-19 16:42 EST by Dan Yocum
Modified: 2016-04-26 15:11 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-28 17:06:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dan Yocum 2012-11-19 16:42:44 EST
Description of problem:
In ESSEX it is possible to break access to horizon (and probably other things) when attempting to manually create an invalid endpoint using 'keystone endpoint-create ...' with the wrong CLI options and possibly the wrong values passed to those options.

Version-Release number of selected component (if applicable):

Essex

How reproducible:

Every

Steps to Reproduce:
1.created an incompletely endpoint thusly (note: no publicurl, adminurl, and internalurl):

keystone endpoint-create --region RegionOne --service_id 6a0447de95554667
8dac94324c394956

2. Attempt to login via the horizon web UI
3.
  
Actual results:

Permission denied

Expected results:

Access granted

Additional info:

I've also opened this bug upstream: https://bugs.launchpad.net/keystone/+bug/1080862
Comment 3 RHEL Product and Program Management 2012-11-20 04:37:43 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 4 Dan Yocum 2012-11-20 11:01:03 EST
If this is fixed in Folsom, that's ok with me.
Comment 5 Martin Magr 2012-12-18 08:45:14 EST
Reopening since I did the same on Folsom:

[para@virtual-rhel-beta ~(keystone_admin)]$ keystone service-create --name=glance --type=image --description="Glance Image Service"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Glance Image Service       |
|      id     | ac82850b67284a6f954dca3498a04bb4 |
|     name    |              glance              |
|     type    |              image               |
+-------------+----------------------------------+
[para@virtual-rhel-beta ~(keystone_admin)]$ keystone endpoint-create --service_id ac82850b67284a6f954dca3498a04bb4
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |                                  |
|      id     | 7d6cec22e05b4777b485464d36fa12e5 |
| internalurl |                                  |
|  publicurl  |                                  |
|    region   |            regionOne             |
|  service_id | ac82850b67284a6f954dca3498a04bb4 |
+-------------+----------------------------------+

[para@virtual-rhel-beta ~(keystone_admin)]$ rpm -qa *keystone
openstack-keystone-2012.2.1-1.el6ost.noarch
python-keystone-2012.2.1-1.el6ost.noarch
Comment 6 Alan Pevec 2012-12-18 09:21:49 EST
(In reply to comment #5)
> Reopening since I did the same on Folsom:

But it doesn't "break access to horizon (and probably other things)" right?
Validation part is not critical, and would be inherited when fixed upstream.
Comment 7 Martin Magr 2013-04-29 04:11:24 EDT
No, it didn't break access to horizon. I agree that it's not critical.
Comment 8 Adam Young 2014-01-28 17:06:27 EST
Upstream NACK means this will not be fixed.  

It is not possible to validate the Endpoint, as the endpoint might not be available at time of creation.

Note You need to log in before you can comment on or make changes to this bug.