keystoneauth

volume create failed when using trust-scoped token by barbicanclient

Bug #1849589 reported by jun923.gu
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keystoneauth
In Progress
Undecided
jun923.gu

Bug Description

When we create volume that encrypt it with barbican using trust-scoped token, it failed. The log raise "Flow 'volume_create_api': Forbidden: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403)". The keystone declare that "do not allow tokens used for delegation to create another token, or perform any changes of state in Keystone. To do so is to invite elevation of privilege attacks". So I think we should avoid the operation that using a trust-scoped token to create another token.

Revision history for this message
jun923.gu (gujun1989) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.opendev.org/690812

Changed in keystoneauth:
assignee: nobody → jun923.gu (gujun1989)
status: New → In Progress
Revision history for this message
Vishakha Agarwal (vishakha.agarwal) wrote :

Could you help me with the keystone version you are facing this issue? What roles your user had on the openstack environment?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystoneauth (master)

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystoneauth/+/690812
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.