OpenStack Identity (keystone)

  1. Bug #1811605
  2. Comment #2

Comment 2 for bug 1811605

Revision history for this message
Guang Yee (guang-yee) wrote :

So looks like there are two problems.

1) We assume that request_context will always have a token_reference, which is not true in the case
of X.509 tokenless auth.

2) We are no longer using auth_context when formulating the credentials for RBAC. Instead, we are using the Oslo request_context.

https://github.com/openstack/keystone/blob/master/keystone/common/rbac_enforcer/enforcer.py#L388
https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L981