Heat not working with keystoneclient_v2
Bug #1420987 reported by
Vijendar Komalla
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Drago |
Bug Description
It seems Heat is not respecting 'keystone_backend' setting. I have set 'keystone_backend' to 'heat_keystonec
I am not sure if this change https:/
description: | updated |
description: | updated |
description: | updated |
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in heat: | |
assignee: | nobody → Drago (drago-rosson) |
status: | Triaged → In Progress |
Changed in heat: | |
assignee: | Drago (drago-rosson) → nobody |
Changed in heat: | |
status: | In Progress → Confirmed |
Changed in heat: | |
assignee: | nobody → Drago (drago-rosson) |
status: | Confirmed → In Progress |
Changed in heat: | |
milestone: | none → kilo-3 |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | kilo-3 → 2015.1.0 |
To post a comment you must log in.
Ok, so this is correct and not correct.
To see this you essentially need to use heat standalone:
Set:
[DEFAULT] ient_v2. client. KeystoneClientV 2
keystone_backend = heat_keystonecl
[paste_deploy]
flavor = standalone
Authentication will still work it will just use v3 to do it and not respect the v2.client setting.
This is because what i've done is to essentially separate the auth process from the CRUD process. If you are using any of the user or domain functions they will still operate on the keystone v2 API, they will just try and do it using a v3 token - which as far as I know will work just fine.
The error is: https:/ /github. com/openstack/ heat/blob/ 36eaea8208ab3e4 b077f21b4c8eb95 716296e9c6/ heat/common/ context. py#L194 where if a username and password are the only auth context items you have (so standalone without auth_token) then it constructs a v3.Password auth plugin - where in the case of keystoneclient_v2 it should construct a v2.Password.
I'll need to have a think as I don't see that there is a good way of handling this.
Is it reasonable to say that if you are using the auth_password middleware then you will always want to use v2 authentication? kc_client, v2) v2.Password else v3.Password
Otherwise the only thing i can think of is to do a check on the client type, so if isinstance(