OpenStack Identity (keystone)

system scope doesn't work for the service which use project specified endpoint

Bug #1745905 reported by wangxiyuan on 2018-01-29

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Won't Fix	Undecided	Brian Rosmaita
	OpenStack Identity (keystone)	Confirmed	Medium	Unassigned

Bug Description

For some project, such as Cinder, the endpoint is project specified, the format is like:
http://ip/volume/v3/{project_id}/os-services

There are two problem:
1. For this kind of endpoint, system-scoped token doesn't work because that there is no project_id in the token.

2. When issue a system-scoped token, the Cinder's endpoint in the token catalog is empty. It means the Cinder service will not be discoverable when use system-scoped token.

See original description

Tags:

wangxiyuan (wangxiyuan) on 2018-01-29

description:

updated

wangxiyuan (wangxiyuan) on 2018-02-27

tags:

added: system-scope

TommyLike (hu-husheng) on 2018-02-27

Changed in cinder:
assignee:	nobody → TommyLike (hu-husheng)

Lance Bragstad (lbragstad) on 2018-03-16

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-04-09:

This is certainly going to be a discussion we'll need to have with other projects that rely on endpoint formats like this. Ideally, it would be good to generalize the policy enforcement code for that service to work with the new system scope format. After that, it might be possible for operators to remove the project IDs from their endpoint definitions. Eventually, projects should be able to remove code that parses the URL for a project ID.

This will be a long running initiative, but it should make policy enforcement easier across services.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-03-06:

Since keystone does everything for services to consume this today, we might be able to fix this with documentation that describes how services convert project IDs from URL to consuming scope from tokens.

tags:

added: documentation
removed: system-scope

Brian Rosmaita (brian-rosmaita) on 2020-11-16

tags:

added: doc

Brian Rosmaita (brian-rosmaita) on 2020-11-30

Changed in cinder:
assignee:	TommyLike (hu-husheng) → Brian Rosmaita (brian-rosmaita)
status:	New → Triaged
milestone:	none → wallaby-2

Revision history for this message

Nautik (nautik) wrote on 2020-12-01:

For the record, a good explanation on where this topic is at this time in cinder: http://lists.openstack.org/pipermail/openstack-discuss/2020-November/019122.html

Thank you Brian!

Lance Bragstad (lbragstad) on 2021-04-27

tags:

added: policy

Revision history for this message

Alvaro Lopez (aloga) wrote on 2023-02-21:

This still an issue, specially when using system scoped tokens. Is there any progress?

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2023-02-27:

There was a change in direction with the "Consistent and Secure RBAC" community goal and system scope will not be implemented across OpenStack services. See

https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

for details.

Changed in cinder:
milestone:	wallaby-2 → none
status:	Triaged → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.