Murano Engine uses keystone_authtoken configuration section
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
Fix Released
|
Medium
|
zhurong |
Bug Description
Murano engine needs to authenticate in Keystone using some service user. It is used to create/remove trusts, list available services in service catalog etc.
This requires appropriate connectivity configuration: identity uri, credentials of service user, project, domain etc.
Currently murano uses [keystone_
This leads to a) inability to fine-tune role-based privileges for service-user going to execute trust-delegated tasks
b) implicit dependency of murano engine on the implementation details of keystonemiddleware and its plugins: if the middleware deprecates one of its configuration properties, Murano engine won't be able to maintain backwards compatibility with its config.
Changed in murano: | |
assignee: | nobody → Alexander Tivelkov (ativelkov) |
Changed in murano: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in murano: | |
assignee: | Alexander Tivelkov (ativelkov) → zhurong (zhu-rong) |
Changed in murano: | |
status: | Confirmed → In Progress |
Any chance of progress here? We will not be able to deploy Murano unless it supports identity-v3-only and tls-proxy, see related bug https:/ /launchpad. net/bugs/ 1658648.
Btw., having backwards compatible config files seems like a pretty strange goal to me, never seen that in any other OpenStack project.