keystonemiddleware

keystonemiddleware is hardcoded to use the admin endpoint

Bug #1830002 reported by Dr. Jens Harbott on 2019-05-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystonemiddleware	Fix Released	Undecided	Dr. Jens Harbott

Bug Description

When verifying tokens, keystonemiddleware is hardcoded to talk to the keystone admin endpoint. This is blocking deployments to work withon an admin endpoint, which otherwise would be easily possible since API v3 is in use.

In order to be able to fix this without breaking backwards compatibility, the solution proposed in [1] is to introduce a new variable that will allow a deployment to select the interface to be used for choosing the endpoint. It will default to "admin" but also generate a deprecation warning in order to notify deployers that they may want to change this setting.

[1] https://review.opendev.org/#/c/651790

OpenStack Infra (hudson-openstack) on 2019-05-22

Changed in keystonemiddleware:
assignee:	nobody → Dr. Jens Harbott (j-harbott)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-03: Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.opendev.org/662734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-12: Fix merged to keystonemiddleware (master)

Reviewed: https://review.opendev.org/651790
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=f6037a3d50a80d8c2e0044c8f72d23dddb0d7203
Submitter: Zuul
Branch: master

commit f6037a3d50a80d8c2e0044c8f72d23dddb0d7203
Author: Jens Harbott <email address hidden>
Date: Thu Apr 11 14:02:00 2019 +0000

Add a new option to choose the Identity endpoint

    Previously the admin Identity endpoint was hardcoded to be used. Now
    that keystone has dropped v2 support, deploying an admin Identity
    endpoint is no longer useful, so allow this to be changed by the
    deployer. Keep the default as using the `admin` endpoint, but create
    a deprecation message so that we can change the default in the future.

Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-06:

Reviewed: https://review.opendev.org/662734
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=8f9a596fffbb262481b32191a98b9169bc1618b1
Submitter: Zuul
Branch: master

commit 8f9a596fffbb262481b32191a98b9169bc1618b1
Author: Jens Harbott <email address hidden>
Date: Mon Jun 3 11:05:29 2019 +0000

Change the default Identity endpoint to internal

    In [0] the ``interface``option was added in order to allow the Identity
    endpoint that is being used when validating tokens to be
    configured by the deployer. Change the default to using the internal
    endpoint, as that should be what most deployments will end up using.

[0] https://review.opendev.org/651790

    Depends-On: https://review.opendev.org/651492
    Closes-Bug: 1830002
    Change-Id: I0ce8b6d8cd408c7fac8107972e7be70839e337fb

Changed in keystonemiddleware:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-06: Fix included in openstack/keystonemiddleware ussuri-eol

This issue was fixed in the openstack/keystonemiddleware ussuri-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.