OpenStack Identity (keystone)

  1. Series queens
  2. Bug #1810983
  3. Comment #2

Comment 2 for bug 1810983

Revision history for this message
Guang Yee (guang-yee) wrote : Re: domain admin unable to fetch domain

After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.

'token.project.domain.id'

This capability was taken away by the removal of KeystoneToken from the model by this patch.

https://review.openstack.org/#/c/577567

KeystoneToken used to be a subclass of dict which stores the token ref json.

https://github.com/openstack/keystone/blob/stable/queens/keystone/models/token_model.py#L47

TokenModel, on the other hand, is an object.

https://github.com/openstack/keystone/blob/stable/rocky/keystone/models/token_model.py#L35

From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context.to_policy_values() for credential match instead. So we can change the rule to either 'token.project.domain_id' or simply 'project_domain_id'.