OpenStack Keystone Charm

'[DEFAULT] admin_token' is deprecated

Bug #1837113 reported by Peter Matulis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Medium
Unassigned
OpenStack Keystone Charm 20.05

Bug Description

This deprecation warning was found in keystone.log:

(keystone.middleware.auth): 2019-07-17 22:30:08,725 WARNING The use of the '[DEFAULT] admin_token' configurationoption presents a significant security risk and should not be set. This option is deprecated in favor of using 'keystone-manage bootstrap' and will be removed in a future release.
(keystone.common.controller): 2019-07-17 22:30:08,813 WARNING RBAC: Bypassing authorization

See bug 1578678

Setup:

Bionic
OpenStack Queens
Juju 2.6.5
LXD containers [1]

LXD host:
Linux node-pytheas 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[1]: https://github.com/openstack-charmers/openstack-on-lxd

Peter Matulis (petermatulis)
summary: - '[DEFAULT] admin_token' configurationoption presents a significant
- security risk
+ '[DEFAULT] admin_token' is deprecated
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/712040
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=0a02c30fe5f4650235519897b71588ae22fa0971
Submitter: Zuul
Branch: master

commit 0a02c30fe5f4650235519897b71588ae22fa0971
Author: Frode Nordahl <email address hidden>
Date: Mon Mar 9 15:06:09 2020 +0100

    Replace use of admin_token with Keystone bootstrap

    Stop the use of the admin_token and use the bootstrap process
    to initialize Keystone instead. Fortunately the implementation
    of the bootstrap process is both idempotent when it needs to be
    and it can be safely called on an existing deployment.

    Subsequently we can migrate by just removing the admin_token
    from the configuration and create new credentials for use by
    the charm with a call to ``keystone-manage bootstrap``.

    Remove configuration templates for versions prior to Mitaka, by
    doing this we need to move any configuration initially defined
    prior to Miataka forward to the ``templates/mitaka`` folder.

    A side effect of this migration is that newly bootstrapped
    deployments will get their ``default`` domain created with a
    literal ID of ``default``. Prior to this change third party
    software making assumptions about that being the case may have
    had issues.

    Closes-Bug: #1859844
    Closes-Bug: #1837113
    Related-Bug: #1774733
    Closes-Bug: #1648719
    Closes-Bug: #1578678
    Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/191
    Change-Id: I23940720c24527ee34149f035c3bdf9ff54812c9

Changed in charm-keystone:
status: In Progress → Fix Committed
James Page (james-page)
Changed in charm-keystone:
milestone: none → 20.05
David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.