system scope doesn't work for the service which use project specified endpoint
Bug #1745905 reported by
wangxiyuan
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Won't Fix
|
Undecided
|
Brian Rosmaita | ||
OpenStack Identity (keystone) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
For some project, such as Cinder, the endpoint is project specified, the format is like:
http://
There are two problem:
1. For this kind of endpoint, system-scoped token doesn't work because that there is no project_id in the token.
2. When issue a system-scoped token, the Cinder's endpoint in the token catalog is empty. It means the Cinder service will not be discoverable when use system-scoped token.
description: | updated |
tags: | added: system-scope |
Changed in cinder: | |
assignee: | nobody → TommyLike (hu-husheng) |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: doc |
Changed in cinder: | |
assignee: | TommyLike (hu-husheng) → Brian Rosmaita (brian-rosmaita) |
status: | New → Triaged |
milestone: | none → wallaby-2 |
tags: | added: policy |
To post a comment you must log in.
This is certainly going to be a discussion we'll need to have with other projects that rely on endpoint formats like this. Ideally, it would be good to generalize the policy enforcement code for that service to work with the new system scope format. After that, it might be possible for operators to remove the project IDs from their endpoint definitions. Eventually, projects should be able to remove code that parses the URL for a project ID.
This will be a long running initiative, but it should make policy enforcement easier across services.