Murano

Murano Engine uses keystone_authtoken configuration section

Bug #1643583 reported by Alexander Tivelkov on 2016-11-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Murano	Fix Released	Medium	zhurong

Bug Description

Murano engine needs to authenticate in Keystone using some service user. It is used to create/remove trusts, list available services in service catalog etc.

This requires appropriate connectivity configuration: identity uri, credentials of service user, project, domain etc.

Currently murano uses [keystone_authtoken] configuration section to read this options, which is technically incorrect: that configuration is intended to be used only to validate the token at WSGI middleware, not for everything else.

This leads to a) inability to fine-tune role-based privileges for service-user going to execute trust-delegated tasks
b) implicit dependency of murano engine on the implementation details of keystonemiddleware and its plugins: if the middleware deprecates one of its configuration properties, Murano engine won't be able to maintain backwards compatibility with its config.

Alexander Tivelkov (ativelkov) on 2016-11-21

Changed in murano:
assignee:	nobody → Alexander Tivelkov (ativelkov)

zhurong (zhu-rong) on 2017-01-06

Changed in murano:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2017-01-24:

Any chance of progress here? We will not be able to deploy Murano unless it supports identity-v3-only and tls-proxy, see related bug https://launchpad.net/bugs/1658648.

Btw., having backwards compatible config files seems like a pretty strange goal to me, never seen that in any other OpenStack project.

zhurong (zhu-rong) on 2017-04-13

Changed in murano:
assignee:	Alexander Tivelkov (ativelkov) → zhurong (zhu-rong)

OpenStack Infra (hudson-openstack) on 2017-04-13

Changed in murano:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-21: Fix merged to murano (master)

Reviewed: https://review.openstack.org/450671
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=75b47bbabd876bca80a9c08e82112f0935bbbf5b
Submitter: Jenkins
Branch: master

commit 75b47bbabd876bca80a9c08e82112f0935bbbf5b
Author: zhurong <email address hidden>
Date: Tue Mar 28 17:19:08 2017 +0800

Make murano auth with murano_auth section instend of keystone_authtoken

    This patch add a murano_auth for murano auth with keystone,
    This gives ability to fine-tune role-based privileges for
    service-user going to execute trust-delegated tasks and the auth
    configuration properties do not need to change when keystonemiddleware
    deprecates its configuration properties.

    Closes-Bug: #1643583
    Closes-Bug: #1658648
    Change-Id: If10fa8c938c264c7b5cadb3c3ed77f39488dcab7

Changed in murano:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-07: Fix included in openstack/murano 4.0.0.0b2

This issue was fixed in the openstack/murano 4.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.