devstack

auth_token should NOT be configured with the service token, it should use the tenant/user

Bug #942983 reported by Joseph Heck on 2012-02-29

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	devstack	Fix Released	Critical	Dean Troyer

Bug Description

from http://etherpad.openstack.org/keystone-admin-config

auth_token should NOT be configured with the service token, it should use the tenant/user
   (heckj) ^^ the idea being set up "users" for each of the services to query agnostic of the individual user actions?
   (jesse) at least we should document that you can - we can create "nova" and "other" in devstack as the example...
   (dean) what roles would be required for these?
   (jesse) currently ADMIN, but it would be nice if it was "admin:service" OR something like that (termie?)
   (termie) recap: we set up users in a service tenant for each service, provide them with a username and password, the works, and we tell the service to use that username and password for all of its adminservice calls. Today the role is 'admin' which lets that service do literally anything in the system, in the future we might do something like 'service' instead which would limit the scope of the token. Keystone_data.sh can do all of this today.
       (heckj) What additional needs to happen with auth_token middlware to take advantage of this as opposed to using (the) service token?
       (heckj) Have it always take a username, password and pass that in from the service and relevant configs that are defined earlier by devstack in "keystone_data.sh".
       (termie) what that person said, he answered his own question.

Joseph Heck (heckj) on 2012-02-29

Changed in keystone:
status:	New → Confirmed
milestone:	none → essex-rc1
importance:	Undecided → Critical

Joseph Heck (heckj) on 2012-02-29

Changed in keystone:
milestone:	essex-rc1 → folsom-1
milestone:	folsom-1 → essex-4

Revision history for this message

Alan Pevec (apevec) wrote on 2012-02-29:

Don't forget tools/sample_data.sh in Keystone (devstack should eventually use that)

Revision history for this message

Jesse Andrews (anotherjesse) wrote on 2012-02-29:

this is actually a devstack issue - the middleware already can do this - but poorly

affects:	keystone → devstack
Changed in devstack:
milestone:	essex-4 → none

Dean Troyer (dtroyer) on 2012-02-29

Changed in devstack:
assignee:	nobody → Dean Troyer (dtroyer)

Jay Pipes (jaypipes) on 2012-02-29

Changed in devstack:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-01: Fix merged to devstack (master)

Reviewed: https://review.openstack.org/4668
Committed: http://github.com/openstack-dev/devstack/commit/b3288381047690510845209cc372d07e5b11e396
Submitter: Jenkins
Branch: master

commit b3288381047690510845209cc372d07e5b11e396
Author: Dean Troyer <email address hidden>
Date: Tue Feb 28 16:41:10 2012 -0600

Add service account configuration

    * Use username/password instead of service token for service auth to Keystone
    * Updates files/glance-*-paste.ini and files/swift/proxy-server.conf
    * keystone_data.sh creates 'service' tenant, 'nova' and 'glance' users
      ('swift' and 'quantum' if those services are enabled)
    * Uses $SERVICE_PASSWORD for the service auth password. There is no default;
      to default to $ADMIN_PASSWORD, place the assignment in localrc.

Fixes bug 942983

Change-Id: If78eed1b509a9c1e8441bb4cfa095da9052f9395