yahoo-eng-team team mailing list archive

[Gustavo Knüppe <gustavo.knuppe@xxxxxx>]

I'm invalidating the bug because this is due to a misconfiguration. API-
PASTE.INI for nova, glance, cinder and neutron servvices should have the
following entry in order to be capable to validate V3 tokens:

[filter:authtoken]
auth_version = v3.0

In case of this configuration does not exist, the keystoneclient
middlware auth_token will prioritize v2.0, causing the problem when v3
is enabled.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1249462

Title:
  Keystone V3 Token validation is not working for non-Default domain

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  I was not allowed to log in horizon with an user from a non-Default
  domain after configuring horizon to work with V3 indentify version and
  multi-domains as well as enabling keystone V3 in endpoint catalogs.

  Taking a look at keystone code, I noticed
  keystone/token/controllers.py validate_token method is harcoded to
  validate using keystonve V2, which does not accept tokens for non-
  default Domain:

   @controller.protected()
      def validate_token(self, context, token_id):
          """Check that a token is valid.

          Optionally, also ensure that it is owned by a specific tenant.

          Returns metadata about the token along any associated roles.

          """
          belongs_to = context['query_string'].get('belongsTo')
          return self.token_provider_api.validate_v2_token(token_id, belongs_to) 

  This is also noticed in the methods:

  * authenticate(that is calling issue_v2_token() hardcoded) 
  * validate_token_head( that is calling check_v2_token() hardcoded)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1249462/+subscriptions