Application credential documentation doesn't mention necessary service configuration
Bug #1950464 reported by
Lance Bragstad
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Marcin Wilk | ||
Bug Description
In order for keystonemiddleware to validate access rules it needs to be configured with the service_type [0].
We should update the application credential documentation [1] to describe this, or potentially add a new section to the admin guide so that operators are aware they need to set this configuration for users to actually use access rules.
[0] https:/
[1] https:/
| tags: | added: low-hanging-fruit |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #2 |
| Changed in keystone: | |
| status: | New → In Progress |
| Changed in keystone: | |
| assignee: | nobody → Marcin Wilk (wilkmarcin) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #3 |
| Changed in keystone: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/keystone 22.0.0.0rc1 | #4 |
To post a comment you must log in.
I noticed this using a deployment with an application credential and access rules and I kept getting a 401 when I didn't expect it (I added the API to the access rules.)
It wasn't until I dug through the keystonemiddleware code that I realized I needed to set that configuration option in keystonemiddleware. After I updated the configuration for all the services, access rules and keystonemiddleware filtered properly.
I feel like this might be an important part of the feature that should be called out, since it's not straightforward from the error what needs to happen.