yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

Wont fix in kilo

** Changed in: keystone/kilo
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1527759

Title:
  Default domain no longer lets keystone tenant-list work

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Won't Fix
Status in OpenStack Identity (keystone) liberty series:
  Fix Committed

Bug description:
  We recently upgraded from kilo.0 to kilo.2 in our dev environment and
  noticed that keystone tenant-list is always failing for the admin
  user.

  Our config is as follows default domain is tied to read-only ldap
  (AD), a heat domain is created to use for trusts to handle the created
  heatstack users/passwords. Under kilo.0 everything was happy. Under
  kilo0.2 we get the following error:

  keystone tenant-list
  The request you have made requires authentication. (HTTP 401) (Request-ID: req-d30289f0-778d-4577-8150-7ddd5438ad9c)

  The main error message is:
  2015-12-16 17:07:36.493 20386 WARNING keystone.common.wsgi [-] Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 10.224.48.132

  Looking at the differences between kilo.0 and kilo.2  it seems like:
  https://github.com/openstack/keystone/commit/9dfad21201251364c6d205e8e79813bfe78e6107
  is the most likely culprit for this regression. However, I have not
  yet been able to test if reverting that change fixes the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1527759/+subscriptions