Token Auth does not work (not fetching catalog)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
Opinion
|
Undecided
|
Unassigned | ||
python-openstackclient |
Opinion
|
Undecided
|
Unassigned |
Bug Description
The docs all seem to assume token auth works exactly like password auth, except with an existing token. Even the various clients seem to expect this functionality.
Heatclient attempts to do token auth and falls over because it gets back an empty catalog:
https:/
OpenStack client has pretty much the same issue.
To confirm I've just spun up a new devstack and wrote a few scripts to test it.
First I tried this:
http://
The error I get is: "The service catalog is empty."
I'm not sure if the issue was due to the token not being scoped so to be explicit I fetch a scoped token with curl, set that to an environment variable, and ran another python script to again try and fetch flavors:
curl: http://
python: http://
Same problem. It seems that it gets past authentication, but can't then do anything.
Back when I first encountered this issue with OS-Client I assumed it was a parameter problem and submitted a bug there, but now it seems the issue is KeystoneAuth not correctly fetching a catalog when authenticating with a token or not scoping the new internal token it creates for you.
This appears to be quite a major bug for what seems to be an expected feature. Either that or there has been a disconnect between what this feature actually is, and what people want from it.
Changed in keystoneauth: | |
status: | New → Invalid |
Changed in python-openstackclient: | |
status: | New → Opinion |
Changed in keystoneauth: | |
status: | Invalid → Opinion |