Application credential documentation doesn't mention necessary service configuration
Bug #1950464 reported by
Lance Bragstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Marcin Wilk |
Bug Description
In order for keystonemiddleware to validate access rules it needs to be configured with the service_type [0].
We should update the application credential documentation [1] to describe this, or potentially add a new section to the admin guide so that operators are aware they need to set this configuration for users to actually use access rules.
[0] https:/
[1] https:/
tags: | added: low-hanging-fruit |
Changed in keystone: | |
assignee: | nobody → Marcin Wilk (wilkmarcin) |
To post a comment you must log in.
I noticed this using a deployment with an application credential and access rules and I kept getting a 401 when I didn't expect it (I added the API to the access rules.)
It wasn't until I dug through the keystonemiddleware code that I realized I needed to set that configuration option in keystonemiddleware. After I updated the configuration for all the services, access rules and keystonemiddleware filtered properly.
I feel like this might be an important part of the feature that should be called out, since it's not straightforward from the error what needs to happen.