-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhos-18.0.17 FR 5
-
None
-
0
-
False
-
-
False
-
?
-
rhos-ops-platform-services-security
-
None
-
-
-
-
Low
To Reproduce Steps to reproduce the behavior:
We encountered the issue in Aodh, which specifies trust when reaching to other services. (e.g. notifying heat by sending a request to a webhook). But it's reproducible in the command line as well and it's probably simpler, so I'll describe that:
- Create a application credential:
openstack application credential create cred1 --role admin - Create a trust:
openstack trust create --role admin --project 137f3bc614b64c9b89e6e0d7d31da6bd admin admin - Try to do anything while using the application credentials and also specifying the trust-id. For example:
openstack --os-application-credential-id b12854469c6b4822baaa4bcd8764172a --os-application-credential-secret P85we2m6YIFM_7T1BJPoP1m8oBuor8dyC8thrhBM5V2qZwLD1oh_olgoFpsLNRqXuC-ToZusQX-KcypRXoHYGQ --os-auth-url http://192.168.122.214/identity --os-auth-type v3applicationcredential --os-trust-id 212b237b593b41c9904696457bdc481b project list - See the error:
Error authenticating with application credential: Application credentials cannot request a scope.
Expected behavior
- We need to be able to use application credentials together with specifying trust ID if we want the whole nZDPR feature to work for Aodh.
Screenshots
- None
Device Info (please complete the following information):
- None
Bug impact
- nZDPR can't be enabled for Aodh
Known workaround
- No workaround except for not using application credentials for Aodh
Additional context
- Examples of some commands including outputs
# Create the application credentials $ openstack application credential create cred1 --role admin +--------------+----------------------------------------------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------------------------------------------+ | ID | b12854469c6b4822baaa4bcd8764172a | | Name | cred1 | | Description | None | | Project ID | 137f3bc614b64c9b89e6e0d7d31da6bd | | Roles | admin, manager, member, reader | | Unrestricted | False | | Access Rules | [] | | Expires At | None | | Secret | P85we2m6YIFM_7T1BJPoP1m8oBuor8dyC8thrhBM5V2qZwLD1oh_olgoFpsLNRqXuC-ToZusQX-KcypRXoHYGQ | +--------------+----------------------------------------------------------------------------------------+ # Create a trust $ openstack trust create --role admin --project 137f3bc614b64c9b89e6e0d7d31da6bd admin admin +----------------------+----------------------------------------------------+ | Field | Value | +----------------------+----------------------------------------------------+ | expires_at | None | | id | 212b237b593b41c9904696457bdc481b | | is_impersonation | False | | project_id | 137f3bc614b64c9b89e6e0d7d31da6bd | | redelegated_trust_id | None | | redelegation_count | 0 | | remaining_uses | None | | roles | [{'id': 'f46d6423232649a0a76eb7a727c73979', | | | 'name': 'admin', 'domain_id': None, 'description': | | | None, 'options': {'immutable': True}, 'links': | | | {'self': 'http://192.168.122.214/identity/v3/roles | | | /f46d6423232649a0a76eb7a727c73979'}}] | | trustee_user_id | 47783c644d0442e383c096a943b054a4 | | trustor_user_id | 47783c644d0442e383c096a943b054a4 | +----------------------+----------------------------------------------------+ # Application credentials work without specifying trust $ openstack --os-application-credential-id b12854469c6b4822baaa4bcd8764172a --os-application-credential-secret P85we2m6YIFM_7T1BJPoP1m8oBuor8dyC8thrhBM5V2qZwLD1oh_olgoFpsLNRqXuC-ToZusQX-KcypRXoHYGQ --os-auth-url http://192.168.122.214/identity --os-auth-type v3applicationcredential project list +----------------------------------+--------------------+ | ID | Name | +----------------------------------+--------------------+ | 137f3bc614b64c9b89e6e0d7d31da6bd | admin | | a57b962a9a584efeb9cb1d93fe2980a4 | service | | a69bdd953c3c48fab79967ab75467ad2 | invisible_to_admin | | f645fa100c6d47c39171a741d99115dc | alt_demo | | f6de4149157544b3814a8556fe44f2b3 | demo | +----------------------------------+--------------------+ # Using trust works without application credentials (using password instead) $ openstack --os-username admin --os-password secret --os-auth-url http://192.168.122.214/identity --os-user-domain-id default --os-auth-type password --os-trust-id 212b237b593b41c9904696457bdc481b project list +----------------------------------+--------------------+ | ID | Name | +----------------------------------+--------------------+ | 137f3bc614b64c9b89e6e0d7d31da6bd | admin | | a57b962a9a584efeb9cb1d93fe2980a4 | service | | a69bdd953c3c48fab79967ab75467ad2 | invisible_to_admin | | f645fa100c6d47c39171a741d99115dc | alt_demo | | f6de4149157544b3814a8556fe44f2b3 | demo | +----------------------------------+--------------------+ # Application credentials + trust doesn't work $ openstack --os-application-credential-id b12854469c6b4822baaa4bcd8764172a --os-application-credential-secret P85we2m6YIFM_7T1BJPoP1m8oBuor8dyC8thrhBM5V2qZwLD1oh_olgoFpsLNRqXuC-ToZusQX-KcypRXoHYGQ --os-auth-url http://192.168.122.214/identity --os-auth-type v3applicationcredential --os-trust-id 212b237b593b41c9904696457bdc481b project list Error authenticating with application credential: Application credentials cannot request a scope. (HTTP 401) (Request-ID: req-b1c02fab-8d4f-4898-ac97-646777d847a3)
There is a check in keystone, which is preventing this to work. See https://opendev.org/openstack/keystone/src/commit/b06ae7307325473a006f19017e33ee22ba7a7478/keystone/auth/core.py#L280
When a trust-id is specified, it seems to be handled through the "scope" part of the request, so it doesn't pass that check and fails
- blocks
-
-
- Refinement
-
