auth_token defaults auth_uri config to point to admin endpoint if not set
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| keystonemiddleware |
Expired
|
Medium
|
Unassigned | ||
| python-keystoneclient |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
auth_uri is used to direct unauthenticated clients to an endpoint where they can authenticate. If an auth_uri is not configured, then auth_token falls back on the admin API endpoint, and provides this to clients... who may not have visibility of the admin endpoint, much less be able to properly authenticate against it.
Specifically, this configuration is a complete failure when a keystone user does not have an assigned default tenant, the client is not aware of the tenants the user has access to, and the admin API is incapable of listing those tenants (the admin API will attempt to list all tenants in the system, which a normal user does not have authorization to do).
When the fallback configuration is utilized, a warning should be logged until "support" for behavior can be safely removed.
| Dolph Mathews (dolph) wrote | #1 |
| Changed in python-keystoneclient: | |
| assignee: | Dolph Mathews (dolph) → nobody |
| Steve Martinelli (stevemar) wrote | #2 |
| Changed in python-keystoneclient: | |
| status: | Confirmed → Invalid |
| Changed in keystonemiddleware: | |
| importance: | Undecided → Medium |
| Morgan Fainberg (mdrnstm) wrote | #3 |
| Morgan Fainberg (mdrnstm) wrote | #4 |
| Changed in keystonemiddleware: | |
| status: | New → Incomplete |
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in keystonemiddleware: | |
| status: | Incomplete → Expired |
Unassigning due to inactivity.