yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1427878] Re: Nova cannot validate v3 token by default

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Joe Gordon <1427878@xxxxxxxxxxxxxxxxxx>
Date: Wed, 04 Mar 2015 19:02:13 -0000
Reply-to: Bug 1427878 <1427878@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

auth_version is coming from keystonemiddleware not nova. So perhaps you
had an old version of keystonemiddleware installed.

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1427878

Title:
  Nova cannot validate v3 token by default

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  Scenario: keystone is enabled for v3 with v3 policy
  Create two domains: default domain has service user accounts and projects - user domain is backed by ldap and has plain end user accounts
  Configure Horizon to be domain aware - hard code the user domain as the keystone domain to use by default
  Configure a user in the user domain to have admin rights over the default domain service project
  Can login to Horizon using a user from the user domain

  Problem: most operations fail - not authorized - but Identity
  operations work fine

  I edited keystone/token/providers/common.py - I commented out the line
      self._assert_default_domain(token_ref)
  in def validate_v2_token(self, token_ref)

  I restarted keystone

  Now, everything works fine - no errors

  Why isn't the service trying to validate the v3 token?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1427878/+subscriptions

References

[Bug 1427878] [NEW] cannot use v3 token with v2 services
From: Richard Megginson, 2015-03-03