Make system tokens work with domain-specific drivers

When calling certain group or user APIs, keystone logic would attempt to figure out the domain to scope responses to. This was specific to enabling domain-specific driver support, where each domain is backed by a different identity store. This functionality is turned off by default. Since system-scoped tokens are not associated to a domain (unlike project-scoped tokens or domain-scoped tokens), the logic to determine a domain from a system-scoped token was breaking and returning an erroneous HTTP 401 Unauthorized when system users attempted to list users or groups. This commit adds support for domain detection with system-scoped tokens. Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077 Closes-Bug: 1843609
2019-09-12 16:46:26 +00:00 · 2019-09-12 16:46:26 +00:00 · 8f43b9cab0
commit 8f43b9cab0
parent db52869379
3 changed files with 27 additions and 0 deletions
--- a/keystone/server/flask/common.py
+++ b/keystone/server/flask/common.py
@ -935,6 +935,8 @@ class ResourceBase(flask_restful.Resource):
            return token_ref.domain_id
        elif token_ref.project_scoped:
            return token_ref.project_domain['id']
+        elif token_ref.system_scoped:
+            return
        else:
            msg = 'No domain information specified as part of list request'
            tr_msg = _('No domain information specified as part of list '
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -2614,6 +2614,22 @@ class TokenAPITests(object):
                                 allow_expired=True,
                                 expected_status=http_client.NOT_FOUND)

+    def test_system_scoped_token_works_with_domain_specific_drivers(self):
+        self.config_fixture.config(
+            group='identity', domain_specific_drivers_enabled=True
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            self.user['id'], self.role['id']
+        )
+
+        token_id = self.get_system_scoped_token()
+        headers = {'X-Auth-Token': token_id}
+
+        app = self.loadapp()
+        with app.test_client() as c:
+            c.get('/v3/users', headers=headers)
+

 class TokenDataTests(object):
    """Test the data in specific token types."""
--- a/releasenotes/notes/bug-1843609-8498b132222596b7.yaml
+++ b/releasenotes/notes/bug-1843609-8498b132222596b7.yaml
@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    [`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`]
+    Fixed an issue where system-scoped tokens couldn't be used to list users
+    and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf
+    [identity] domain_specific_drivers_enabled=True`` and the API would
+    return an ``HTTP 401 Unauthorized``. These APIs now recognize
+    system-scoped tokens when using domain-specific drivers.