yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1427878] [NEW] cannot use v3 token with v2 services

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Richard Megginson <rmeggins@xxxxxxxxxx>
Date: Tue, 03 Mar 2015 22:15:13 -0000
Reply-to: Bug 1427878 <1427878@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Scenario: keystone is enabled for v3 with v3 policy
Create two domains: default domain has service user accounts and projects - user domain is backed by ldap and has plain end user accounts
Configure Horizon to be domain aware - hard code the user domain as the keystone domain to use by default
Configure a user in the user domain to have admin rights over the default domain service project
Can login to Horizon using a user from the user domain

Problem: most operations fail - not authorized - but Identity operations
work fine

I edited keystone/token/providers/common.py - I commented out the line
    self._assert_default_domain(token_ref)
in def validate_v2_token(self, token_ref)

I restarted keystone

Now, everything works fine - no errors

Why isn't the service trying to validate the v3 token?

** Affects: keystone
     Importance: Undecided
     Assignee: Adam Young (ayoung)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1427878

Title:
  cannot use v3 token with v2 services

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Scenario: keystone is enabled for v3 with v3 policy
  Create two domains: default domain has service user accounts and projects - user domain is backed by ldap and has plain end user accounts
  Configure Horizon to be domain aware - hard code the user domain as the keystone domain to use by default
  Configure a user in the user domain to have admin rights over the default domain service project
  Can login to Horizon using a user from the user domain

  Problem: most operations fail - not authorized - but Identity
  operations work fine

  I edited keystone/token/providers/common.py - I commented out the line
      self._assert_default_domain(token_ref)
  in def validate_v2_token(self, token_ref)

  I restarted keystone

  Now, everything works fine - no errors

  Why isn't the service trying to validate the v3 token?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1427878/+subscriptions

Follow ups

[Bug 1427878] Re: Nova cannot validate v3 token by default
From: Joe Gordon, 2015-03-04
[Bug 1427878] Re: cannot use v3 token with v2 services
From: Adam Young, 2015-03-04
[Bug 1427878] Re: cannot use v3 token with v2 services
From: Adam Young, 2015-03-04
[Bug 1427878] [NEW] cannot use v3 token with v2 services
From: Richard Megginson, 2015-03-03

References

[Bug 1427878] [NEW] cannot use v3 token with v2 services
From: Richard Megginson, 2015-03-03