Fuel for OpenStack

Keystone-v3-Support-in-MOS-8.0

Bug #1551768 reported by Robert Duncan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Invalid
High
Fuel Library (Deprecated)
Fuel for OpenStack 8.0-updates

Bug Description

Fuel 8 release notes:

Keystone
Mirantis OpenStack 8.0 contains the following enhancements for the Identity service:
Added support for configuring Web Single Sign-On (WebSSO) per Identity Provider. See spec.
Added openstack_user_domain and openstack_project_domain attributes to SAML in order to map the user and project domains respectively. See spec.
Enabled filtering by user_id in the GET /credentials call. See blueprint.
Improved support for out-of-tree drivers by defining the Keystone Stable Driver Interfaces (KSDI). See blueprint | spec.
Experimental. Added the tokenless authorization with X.509 SSL client certificate. See blueprint | spec | X.509 example.
Hardened the following features: Fernet tokens, Federation, domain-specific configurations from the database, and role assignments.

With these release notes we would expect Fuel to deploy keystone v3 - we can't use WebSSO, SAML, OID or domain specific drivers with v2.

Tags: area-library
Alexander Kislitsky (akislitsky)
Changed in fuel:
importance: Undecided → High
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 8.0-updates
tags: added: area-library
Changed in fuel:
status: New → Confirmed
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

Could you please provide more details and logs snapshot to the issue?

Changed in fuel:
status: Confirmed → Invalid
status: Invalid → Incomplete
Revision history for this message
Robert Duncan (rduncan-t) wrote :

I simply deployed OpenStack Liberty with Fuel 8.0, it does not deploy with any version 3 or unversioned keystone endpoints in the catalog. They have to be manually configured afterwards

In the release notes it states:

Added support for configuring Web Single Sign-On (WebSSO) per Identity Provider. See spec.
Added openstack_user_domain and openstack_project_domain attributes to SAML in order to map the user and project domains respectively. See spec.

While that is true, if an administrator goes ahead and manually configures keystone version 3 they might find that it breaks other elements of MOS 8.0 which do not support domain scoped tokens.

Domain specific drivers with external LDAP, SAML and OID single sign on, all break object storage when ceph radosgw is used.
It deploys keystone v2, there's no option to deploy v3, and if you do manually configure it it breaks things.

https://bugs.launchpad.net/mos/+bug/1498552

Perhaps there should be a more general statement about the level of support for keystone v3.

Revision history for this message
Robert Duncan (rduncan-t) wrote :

I should say - it deploys configured for v2 with no option to deploy configured for v3

Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

Marking it as Invalid, because of no update for more than a month.

Changed in fuel:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.