Token operations fail when fernet key repository isn't writeable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Ron De Rose | ||
Liberty |
Fix Released
|
Undecided
|
Steve Martinelli |
Bug Description
When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.
Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1].
The write permissions should be kept when called from keystone-manage, but not when called from keystone.
mfisch and clayton from Time Warner Cable brought this to my attention and I was able to recreate.
[0] http://
[1] https:/
tags: | added: fernet |
summary: |
- Unable to get token when fernet key repository isn't writeable + Token operations fail when fernet key repository isn't writeable |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Ron De Rose (ronald-de-rose) |
Changed in keystone: | |
assignee: | Ron De Rose (ronald-de-rose) → Navid Pustchi (npustchi) |
assignee: | Navid Pustchi (npustchi) → nobody |
Changed in keystone: | |
assignee: | nobody → Ron De Rose (ronald-de-rose) |
Changed in keystone: | |
status: | New → Confirmed |
Might be able to fix with something like - http:// cdn.pasteraw. com/k6itk7dgxbu j5jf0s45s10clhf ekl33