Mistral is currently able to operate only with Keystone Identity V3. This is a restriction that prohibits its application in many current deployments.
This bug aims to fix this inability only on the service execution level. This way, when the Mistral level authentication/authorization is turned off, users will be able to execute workflows on Identity V2 capable clouds.
Solution description
1. Turn off pecan authentication in the server.
2. The client must authenticate. V2 or V3 does not matter.
3. The client receives the service catalog on login:
V2: http://developer.openstack.org/api-ref/identity/v2/?expanded=authenticate-detail#id8
V3: http://developer.openstack.org/api-ref/identity/v3/?expanded=password-authentication-with-unscoped-authorization-detail,token-authentication-with-scoped-authorization-detail,validate-and-show-information-for-token-detail,password-authentication-with-scoped-authorization-detail#request (check the note at the nocatalog parameter)
4. The client can forward this catalog to the server and the server can use it to create the OS service clients. The server seems to be partly set up for this option too: https://github.com/openstack/mistral/blob/master/mistral/context.py#L82
5. keystone_utils can be simply updated to have means to extract the endpoints from the catalog stored in the context, rather than going out to keystone.
Fix proposed to branch: master
Review: https:/