can't create credential with keystone.conf admin_token
Bug #1275145 reported by
Guang Yee
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Guang Yee |
Bug Description
2014-01-31 15:42:14.656 2631 WARNING keystone.
2014-01-31 15:42:14.657 2631 WARNING keystone.
Reason is we are doing trust lookup on credential creation and that requires a token.
See https:/
This won't work with the ADMIN token or customize SSL authorization.
btw, there shouldn't be an explicit linkage of credential with trust. Trust should be part of auth scope, not the credential itself. This is like linking user password to a trust.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → icehouse-3 |
summary: |
- can't create credential with ADMIN token + can't create credential with keystone.conf admin_token |
Changed in keystone: | |
assignee: | nobody → Guang Yee (guang-yee) |
Changed in keystone: | |
milestone: | icehouse-3 → icehouse-rc1 |
Changed in keystone: | |
status: | Triaged → In Progress |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/70847 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=b5ab8fe9d63 dd65786dd13adee 2a6dd25b7c483a
Committed: https:/
Submitter: Jenkins
Branch: master
commit b5ab8fe9d63dd65 786dd13adee2a6d d25b7c483a
Author: guang-yee <email address hidden>
Date: Mon Feb 3 13:17:34 2014 -0800
allow create credential with the system admin token
We are looking up trust_id during create credential, which means caller must
use a Keystone-issued token. This is unrealistic as create credential are
often done as part of bootstrap, using the static system admin token.
Furthermore, deployments which using external authorization will break as it
may not have a token_id in the request context.
For the above reasons, we'll skip trust_id lookup if the request token_id is
either absent or it is the static system admin token.
closes bug 1275145
closes bug 1263804
Change-Id: I6cda3c5f36c975 4ab84e28ff9a928 9887d6c9b77