yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1427878] Re: cannot use v3 token with v2 services

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Young <1427878@xxxxxxxxxxxxxxxxxx>
Date: Wed, 04 Mar 2015 15:36:35 -0000
Reply-to: Bug 1427878 <1427878@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The issue is with configuring Nova.  When I edited Nova's conf file so
that authe vesrion was unset, like this:

auth_version=

And restarted all the Nova services, it worked.


** Changed in: keystone
   Importance: Critical => Medium

** Also affects: nova
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1427878

Title:
  Nova cannot validate v3 token by default

Status in OpenStack Compute (Nova):
  New

Bug description:
  Scenario: keystone is enabled for v3 with v3 policy
  Create two domains: default domain has service user accounts and projects - user domain is backed by ldap and has plain end user accounts
  Configure Horizon to be domain aware - hard code the user domain as the keystone domain to use by default
  Configure a user in the user domain to have admin rights over the default domain service project
  Can login to Horizon using a user from the user domain

  Problem: most operations fail - not authorized - but Identity
  operations work fine

  I edited keystone/token/providers/common.py - I commented out the line
      self._assert_default_domain(token_ref)
  in def validate_v2_token(self, token_ref)

  I restarted keystone

  Now, everything works fine - no errors

  Why isn't the service trying to validate the v3 token?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1427878/+subscriptions

References

[Bug 1427878] [NEW] cannot use v3 token with v2 services
From: Richard Megginson, 2015-03-03