mismatch between nova project ID and keystone tenant name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Unassigned |
Bug Description
What nova client calls "Project ID" is in fact the "Tenant Name" in Keystone.
Nova client obtains a token from keystone using the TenantName.
Nova clients sends the tenant name to the API server via the X-Auth-Project-ID header.
But the project ID in nova in fact corresponds to the tenant ID, so there is a mismatch.
The current naming creates confusion, e.g. see bug #898820.
While I agree that the project ID name shall be kept for backward compatibility, it should be associated to keystone tenantID, to avoid mixing IDs and names.
As both tenant ID and tenant Name can be used to obtain a valid token from keystone, I would propose that nova client accepts several options, as follows:
NOVA_PROJECT_ID => this should be the tenant ID, rather then the tenant name
NOVA_TENANT_ID
NOVA_TENANT_NAME
There shall be also the corresponding command line options, and optional parameters in the client init at python level.
With this change nova client would send the tenant ID in the X-Auth-Project-ID to the API server, which is the project ID, like it is in the no-keystone scenario.
Changed in nova: | |
status: | Confirmed → Fix Released |
There is a blueprint for this which I have linked: The wiki explaining the plan is here: wiki.openstack. org/CLIAuth
http://