OpenStack Identity (keystone)

can't create credential with keystone.conf admin_token

Bug #1275145 reported by Guang Yee
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Guang Yee
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

2014-01-31 15:42:14.656 2631 WARNING keystone.common.wsgi [-] Invalid token in _get_trust_id_for_request
2014-01-31 15:42:14.657 2631 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1

Reason is we are doing trust lookup on credential creation and that requires a token.

See https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L300

This won't work with the ADMIN token or customize SSL authorization.

btw, there shouldn't be an explicit linkage of credential with trust. Trust should be part of auth scope, not the credential itself. This is like linking user password to a trust.

Dolph Mathews (dolph)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
milestone: none → icehouse-3
summary: - can't create credential with ADMIN token
+ can't create credential with keystone.conf admin_token
Guang Yee (guang-yee)
Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
Dolph Mathews (dolph)
Changed in keystone:
milestone: icehouse-3 → icehouse-rc1
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/70847
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Submitter: Jenkins
Branch: master

commit b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Author: guang-yee <email address hidden>
Date: Mon Feb 3 13:17:34 2014 -0800

    allow create credential with the system admin token

    We are looking up trust_id during create credential, which means caller must
    use a Keystone-issued token. This is unrealistic as create credential are
    often done as part of bootstrap, using the static system admin token.
    Furthermore, deployments which using external authorization will break as it
    may not have a token_id in the request context.

    For the above reasons, we'll skip trust_id lookup if the request token_id is
    either absent or it is the static system admin token.

    closes bug 1275145
    closes bug 1263804

    Change-Id: I6cda3c5f36c9754ab84e28ff9a9289887d6c9b77

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.