Application credential documentation doesn't mention necessary service configuration

Bug #1950464 reported by Lance Bragstad
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Marcin Wilk

Bug Description

In order for keystonemiddleware to validate access rules it needs to be configured with the service_type [0].

We should update the application credential documentation [1] to describe this, or potentially add a new section to the admin guide so that operators are aware they need to set this configuration for users to actually use access rules.


Revision history for this message
Lance Bragstad (lbragstad) wrote :

I noticed this using a deployment with an application credential and access rules and I kept getting a 401 when I didn't expect it (I added the API to the access rules.)

It wasn't until I dug through the keystonemiddleware code that I realized I needed to set that configuration option in keystonemiddleware. After I updated the configuration for all the services, access rules and keystonemiddleware filtered properly.

I feel like this might be an important part of the feature that should be called out, since it's not straightforward from the error what needs to happen.

tags: added: documentation
tags: added: low-hanging-fruit
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master

Changed in keystone:
status: New → In Progress
Marcin Wilk (wilkmarcin)
Changed in keystone:
assignee: nobody → Marcin Wilk (wilkmarcin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Submitter: "Zuul (22348)"
Branch: master

commit 3856cbf10d4d19b9d7797d600ef096b0c04aaedb
Author: Marcin Wilk <email address hidden>
Date: Mon Apr 4 09:37:33 2022 +0000

    Add service_type config info for access rules

    The service_type config param is crucial to successfully use
    application credentials with access rules.

    Closes-Bug: #1950464
    Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.