auth_token defaults auth_uri config to point to admin endpoint if not set

Bug #1207517 reported by Dolph Mathews
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Medium
Unassigned
python-keystoneclient
Medium
Unassigned

Bug Description

auth_uri is used to direct unauthenticated clients to an endpoint where they can authenticate. If an auth_uri is not configured, then auth_token falls back on the admin API endpoint, and provides this to clients... who may not have visibility of the admin endpoint, much less be able to properly authenticate against it.

Specifically, this configuration is a complete failure when a keystone user does not have an assigned default tenant, the client is not aware of the tenants the user has access to, and the admin API is incapable of listing those tenants (the admin API will attempt to list all tenants in the system, which a normal user does not have authorization to do).

When the fallback configuration is utilized, a warning should be logged until "support" for behavior can be safely removed.

Revision history for this message
Dolph Mathews (dolph) wrote :

Unassigning due to inactivity.

Changed in python-keystoneclient:
assignee: Dolph Mathews (dolph) → nobody
Revision history for this message
Steve Martinelli (stevemar) wrote :

this impacts keystonemiddleware not keystoneclient

Changed in python-keystoneclient:
status: Confirmed → Invalid
Changed in keystonemiddleware:
importance: Undecided → Medium
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

In the scope of the general direction of keystone, this seems to be towards the realm of "wont fix" as in V3 there is no distinction between the admin and non-admin endpoints. Perhaps this should be looking for a specific interface? "Internal"?

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Is this really still an issue?

Changed in keystonemiddleware:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for keystonemiddleware because there has been no activity for 60 days.]

Changed in keystonemiddleware:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers