OpenStack-Ansible

keystone_authtoken: service_type needs to be configured for working access rules

Bug #1948456 reported by Marcus Klein on 2021-10-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Medium	Marcus Klein

Bug Description

Otherwise the services can not verify the access rule for application credentials and the following warning is logged:

Oct 21 13:38:58 controller1-nova-api-container-83b33d79 nova-api-wsgi[29012]: 2021-10-21 13:38:58.060 29012 WARNING keystonemiddleware.auth_token [req-17e24efd-9276-4fdb-ac0f-ff49c5808c3b 857436753f545e4f498149602b86484ab34d6c96e5085aaf18ede66f9f3f28c1 2a4a15d2596440e2ba553ce96cddc986 - d2844186365e40d187e33cbc3ead8956 d2844186365e40d187e33cbc3ead8956] Cannot validate request with restricted access rules. Set service_type in [keystone_authtoken] to allow access rule validation.

Revision history for this message

Marcus Klein (marcus-klein) wrote on 2021-10-22:

I will try to provide patches to get this fixed.

Changed in openstack-ansible:
assignee:	nobody → Marcus Klein (marcus-klein)

Dmitriy Rabotyagov (noonedeadpunk) on 2021-12-24

Changed in openstack-ansible:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-27: Related fix proposed to openstack-ansible-os_glance (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/823009

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-14: Related fix proposed to openstack-ansible-os_placement (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/845708

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-14: Related fix proposed to openstack-ansible-os_cinder (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/845717

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-16: Related fix merged to openstack-ansible-os_cinder (master)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/845717
Committed: https://opendev.org/openstack/openstack-ansible-os_cinder/commit/f755eadadfddfbea471fe80df66b41f140d9db2e
Submitter: "Zuul (22348)"
Branch: master

commit f755eadadfddfbea471fe80df66b41f140d9db2e
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Jun 14 11:30:31 2022 +0200

Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
    Change-Id: I1d0156a2ad829aa730419e1d9dfa1cd49026a6be
    Related-Bug: #1948456

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-16: Related fix merged to openstack-ansible-os_glance (master)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/823009
Committed: https://opendev.org/openstack/openstack-ansible-os_glance/commit/fc6f34219426594c7c48229e2fe8fdd76511d7cd
Submitter: "Zuul (22348)"
Branch: master

commit fc6f34219426594c7c48229e2fe8fdd76511d7cd
Author: Dmitriy Rabotyagov <email address hidden>
Date: Mon Dec 27 15:05:45 2021 +0200

Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
    Change-Id: Ib7fd1a80affe0fa8c6b030fdbfdd60693f104cd6
    Related-Bug: #1948456

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-16: Related fix merged to openstack-ansible-os_placement (master)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/845708
Committed: https://opendev.org/openstack/openstack-ansible-os_placement/commit/242e17c230651ce4718d839b5d77590a296469a3
Submitter: "Zuul (22348)"
Branch: master

commit 242e17c230651ce4718d839b5d77590a296469a3
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Jun 14 10:58:05 2022 +0200

Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
    Change-Id: I4e9fff59bbfa9c8a1ae0236d077ac9ee2881c04b
    Related-Bug: #1948456

Jonathan Rosser (jrosser) on 2024-02-13

Changed in openstack-ansible:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.