Cinder

[docs] Service tokens documentation is misleading

Bug #1991154 reported by Jorge Merlino on 2022-09-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Low	Jorge Merlino

Bug Description

- [x] This doc is inaccurate in this way: It mentions that service_token_roles_required is optional but service tokens do not work well if it is disabled
- [ ] This is a doc addition request.
- [x] I have a fix to the document that I can paste below including example: input and output.

I think the note that says: "There is no configuration required for a service to receive service tokens" should be removed and we should move the service_token_roles_required explanation from troubleshooting to the configuration section and tell that it is mandatory to receive service tokens.

The problem that occurs when service_token_roles_required is not enabled is that keystonemiddleware do not validate expired user tokens unless the role verification has passed (see https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/__init__.py#L403). Thus, if the role checking is not enabled, service tokens do not help when the user token is invalid even if they are not.

-----------------------------------
Release: 20.0.2.dev11 on 2019-07-22 12:51:47
SHA: c0437a03cfd34432c05a5b727899a3274f6ce725
Source: https://opendev.org/openstack/cinder/src/doc/source/configuration/block-storage/service-token.rst
URL: https://docs.openstack.org/cinder/yoga/configuration/block-storage/service-token.html

Tags:

Jorge Merlino (jorge-merlino) on 2022-09-29

Changed in cinder:
assignee:	nobody → Jorge Merlino (jorge-merlino)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-29: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/859853

Changed in cinder:
status:	New → In Progress

Sofia Enriquez (lsofia-enriquez) on 2022-10-05

Changed in cinder:
importance:	Undecided → Low
tags:	added: documentation low-hanging-fruit
summary:	- Service tokens documentation is misleading + [docs] Service tokens documentation is misleading

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-02-17: Fix merged to cinder (master)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/859853
Committed: https://opendev.org/openstack/cinder/commit/850a58a29ca7f700559b69a41e885685228db6fa
Submitter: "Zuul (22348)"
Branch: master

commit 850a58a29ca7f700559b69a41e885685228db6fa
Author: Jorge Merlino <email address hidden>
Date: Thu Sep 29 10:39:25 2022 -0300

Fix service token documentation

Make clear that service_token_roles_required parameter is required for
service tokens to work properly.

Closes-Bug: #1991154
Change-Id: I8293b48b3740ab3a22ac478ba2c0b80f57bb3761

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-08: Fix included in openstack/cinder 22.0.0.0rc1

This issue was fixed in the openstack/cinder 22.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.