Public bug reported:
User Ids cannot be something sepcified entirely by the Federation
providers. If they are, there are a handful of potential problems:
1. The userId specified will be too big for the colum (varchar 64)
2. Two different Identity Providers can provide the same value for user_i
Due to a security issue with PKI tokens, we are going to stop supporting
PKI and we will move people on to Fernet as a replacement. Thus, no new
features will be implemented for PKI tokens
** Changed in: keystone
Importance: High => Wishlist
** Changed in: keystone
Status: Triaged => W
Was fixed in commit
98732367e384b89c9ff9dd632be870e774083b94
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad
This is not a problem with current policy/approach. The approach to fix
968696 will also ensure this continues to work.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
We have depreaced the LDAP project back end. Even for identity, we are
focusing on Read-Only, and not Read Write. Please reopen if this is
still an issue.
** Changed in: keystone
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Eng
Moving to Fernet tokens. Revocations will be handled by revocation
events, not revocation list. Memcache as a storage mechanism for PKI
tokens was deeply flawed, as dropping tokens from Memcache effectively
unrevoked them.
** Changed in: keystone
Status: Triaged => Won't Fix
--
You rece
Needs 3 things:
1. Feature in Keystone to track the WebSSO logout URL comparable to the login
URL
2. A way to communicate this to Horizon
3. A tie in to Horizon to call the URL in order to logout.
Since Keystone manages websso login, it should do the logout directly as
well.
** Changed in: ke
Public bug reported:
Use CURL to get an admin token and use it to perform list domains will
result in a failure.
Get an unscoped token:
$ cat token-request-admin.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password
** Also affects: keystonemiddleware
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1278843
Title:
Neutron doesn't report using a stale CA cert
Public bug reported:
The behaviour of this API is different if
CONF.identity.domain_specific_drivers_enabled is set or not. If it is
not set, then listing user shows for all domains. If it is set, even
for SQL, only a single domain is listed.
The correct behavior would be to only list users for
** Also affects: python-keystoneclient
Importance: Undecided
Status: New
** No longer affects: keystone
** Changed in: python-keystoneclient
Assignee: (unassigned) => Adam Young (ayoung)
--
You received this bug notification because you are a member of Yahoo!
Engineering T
Public bug reported:
there is a disconnect between how Identity gets users for
Authentication and how it creates users.
When creating a user, deleting a user, etc, the identity code calls:
conn.add_s(self._id_to_dn(values['id']), attrs)
Which attempts to convert an id to a dn t
.
** Affects: keystone
Importance: Undecided
Assignee: Adam Young (ayoung)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1367952
Title:
Trust
In order to validate a PKI token via the Keystone API, use the MD5 hash
of the token instead of the original token. This is short enough for
all URLs.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team,
** Changed in: keystone
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1199880
Title:
test_users.py:UsersTestJSON.test_create_user - Wrong expected respo
** Changed in: keystone
Status: Expired => Confirmed
** Changed in: keystone
Assignee: (unassigned) => Adam Young (ayoung)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.ne
No fix necessary in Keystone server
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1020127
Title:
proxy-server Error:
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1255335
Title:
v2 token request always allow external auth method
Status in OpenSta
** Changed in: keystone
Status: Expired => Confirmed
** Changed in: keystone
Assignee: (unassigned) => Adam Young (ayoung)
** Project changed: keystone => python-keystoneclient
--
You received this bug notification because you are a member of Yahoo!
Engineering Team,
Public bug reported:
ONce the startup finishes, the log is currently filled with line after
line of
2014-01-07 16:55:04.871 29654 WARNING keystone.common.utils [-]
Deprecated: v2 API is deprecated as of Icehouse in favor of v3 API and
may be removed in K.
** Affects: keystone
Importance: Un
Public bug reported:
"keystone user-list" is an admin only command. When a regular user
tries to execute it, you get a helpful response at the command line:
[root@rhel ~(keystone_username)]# keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP
403)
Ho
Public bug reported:
Created attachment 713099 [details]
token logs
Description of problem:
Keystone log files should reveal the source of the token (ip address).
I create a mis-configuration where i had two different setups (A & B )
by mistake i configure keystone quantum end-point in setup A
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1071865
Title:
Keystone PKI token length hits cook
Better to get rid of the KVS backend all together
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1046884
Title:
Code duplica
implemented in 5cb8e1f2e5e12cf7e8c6bce91af53b901f6254a9
** Changed in: keystone
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1101276
Title:
Domain
If it does it is a different problem. This was an error storing tokens
and was specific to the memcached backend.
** Changed in: python-keystoneclient
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to
** Changed in: python-keystoneclient
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1020127
Title:
proxy-server Error: Second simultaneous read or wri
** Changed in: keystone
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1010010
Title:
Support Kerberos authentication in Keystone
Status in OpenS
** Changed in: keystone
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1031008
Title:
Report better error when signing dir is not writable
Status
This is no longer an issue. The database is now saved in tests/tmp.
The tests/tmp directory can be mounted in a ram disk, bypasing the tox
issue.
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team
As you can see from the original code, this was a deliberate
implementation decision. Neither the SQL nor the LDAP code allows
modification of the usernames. Please respond here why you need this
change.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug not
** Changed in: neutron
Status: Triaged => Fix Committed
** Changed in: nova
Status: In Progress => Fix Committed
** Changed in: puppet-keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscri
The Keystone server was down and the message was reported by the client.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.n
THis is an installer specific issue and not with the Keystone upstream
project. The .deb should be creating the /etc/keytstone directory on
install. PLease open the bug with the packager. Note that the page
linked is specific to Ubuntu.
** Changed in: keystone
Status: New => Invalid
--
Public bug reported:
Make it possible to know what the ID of a role will be prior to creating
it. This allows synchronization between multiple keystone servers
** Affects: keystone
Importance: Undecided
Assignee: Adam Young (ayoung)
Status: In Progress
--
You received this
Public bug reported:
I wrote up the issues with gaming the system that can happen with deep
quotas. This has driven what happened with 2 level quota in unified
limites.
https://adam.younglogic.com/2018/05/tracking-quota/
This should merge in with the documentation to explain why we limit
things
Public bug reported:
Identifiers
Each resource in Keystone has a unique identifier. For the majority of
resources, the identifiers are currently generated as UUIDs. In
addition, the identifiers are assigned by the system, and are not
something an end user can specify when creating the resource. T
For these kinds of operations, you use role assignment inheritance. Do
not attempt to enforce policy on parent project ID.
I wrote up an article about this about a year back. CloudForms is just
the consumer, but the rules are the same.
https://adam.younglogic.com/2018/02/openstack-hmt-cloudfor
If it is not fixed in Nova it is not fixed in Keystone, as the solution
has to start there.
** Changed in: keystone
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keyst
I'm closing this Won't fix because running with the LDAP backend is a
bad approach. Use SQL, with LDAP in a domain specific back end.
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is s
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159
Title:
Some inherited projects missing when listing use
** Changed in: keystone
Status: Invalid => New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159
Title:
Some inherited projects missing when listing use
Public bug reported:
Looking at a coverage report for the Keystone CLI shows that the
entirety of
class MappingEngineTester(BaseApp):
Is untested. Since this is production and supported code, this is a
risk.
** Affects: keystone
Importance: Undecided
Status: New
--
You received
Just to be clear, this has always been the case. THe documentation for
the cloud sample stated it needed to be edited.
Of course, I tripped over this exact problem. A few times. I once
proposed reading policy values from the config file as a work around.
But this is not a bug. As Lance put, w
Public bug reported:
in keystone/tests/unit/test_v3_auth.py there are two tests that have
been commented out because they are unrunnable:
test_remote_user_with_realm
and
test_remote_user_with_default_domain
These support the External auth mechanism which should be avaialable to
people with t
user in
LDAP). THus, the LDAP code can be changed at config time, but the
Federated code can't. It also means that Federated IDs cannot be kept
in sync between two keystone servers.
** Affects: keystone
Importance: Low
Assignee: Adam Young (ayoung)
Status: In Pro
Public bug reported:
When keeping two Keystone servers in sync, but avoiding Database
replication, it is often necessary to hack the database to update the
Domain ID so that entries match. Domain ID is then used for LDAP mapped
IDs, and if they don't match, the user IDs are different. It should
Public bug reported:
THe Federation itegration (not voting) tests for Python35 are failing.
==
2018-09-26 06:26:21.371093 | primary | Failed 1 tests - output below:
2018-09-26 06:26:21.371172 | primary | ==
2018-09-26 06:26:21.371200 | pri
After reviewing these tests, I think I can say with confidence that they
are not testing code that we support any longer. External plugins work
fine, including Kerberos. These tests were Kerberos specific, but we no
longer support a specific Kerberos plugin, only the External one. They
were test
Added Oslo.policy to the bug report, as this is going to be an issue
across all of the projects. Barbican, especially, needs target info,
but the same is true for anything that enforces the scope check.
** Also affects: oslo.policy
Importance: Undecided
Status: New
--
You received thi
UNtil recently, this should be in bootstrap. This is the minimal amount
of configuration a Keystone server needs: to be able to create a new
domain, or create projects on the domain, etc.
Now it should be one admin user with a service scoped admin role. From
that, all other configuration can flo
Public bug reported:
When a Federated User logs in for the first time, many organizations
want to be able to provision resources. This is a specific instance of
the general idea that a Keystone token operation should be able to kick
off a playbook. PLaybooks can perform both Openstack specific a
Public bug reported:
In order to activate a protocol for Federation, you need SOME value for
remote_id_attribute. However , this is set once per protocol in the
config file, not in the federated data. Thus, if two different SAML
implementations both wanted to use different values for
remote_id_a
Fixed in Keystone by f71a78db86632dccb391782e62da69a4627c7cad
https://review.openstack.org/#/c/523650/
** Changed in: keystone
Assignee: (unassigned) => Adam Young (ayoung)
** Changed in: keystone
Status: Triaged => Fix Released
** Changed in: keystone
Status: Fix Re
Reopening the Keystone one as the fix does not work for default policy,
which is what most people use.
** Changed in: keystone
Status: Fix Released => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
htt
Public bug reported:
Active Directory has a very specific mechanism to
handle nested groups. LDAP queries need to look like this:
"(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"
If a deployment is using nested groups, three queries need to
Public bug reported:
When setting up Federation, if the protocol needs an new auth plugin,
the current mechanism is to add it to the methods list for the [auth]
section. However, this has the effect of linking them all together,
when the real method should be to link the auth plugin with the
prot
Public bug reported:
Web SSO will be broken in places where the ssumption that the AUTH_URL
that Horizon uses is publically accessible.
Conversation with deployer:
"keystone is open in haproxy to the public world, but the problem is
that horizon forming the SSO url based on the region URL, which
Public bug reported:
ADMIN_PASSWORD=keystone tools/sample_data.sh
... lots of stuff working fine ...
usage: openstack ec2 credentials create [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width ]
Public bug reported:
Description of problem:
DBDeadlock: (pymysql.err.InternalError) (1213, u'Deadlock found when trying to
get lock; try restarting transaction')
The above error is retry-able error, but no evidence for keystone would
really did a retry before throwing a 500.
2016-11-12 08:55:1
CLosing as a duplicate.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1648542
Title:
keystone does not retry
Public bug reported:
Keystone is now behind the other projects in reporting the microversions
in the microversion header
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subsc
Works as designed and specified. The Wiki is wrong. Would not modify
away from the existing behavior, either.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identit
Public bug reported:
When redelegating a trust, the API specifies that the trustor_id is the
original trustor_id. However, the policy check for create_trust
enforces that user_id = trust.trustor_user_id. Effectily limiting the
redelgation ofr trusts to trusts which provide impersonation.
** Aff
Public bug reported:
Today it is possible to define an implied role structure that is not a
DAG. This will crash the Keystone server if a token iis requested that
will pull in any of those roles.
While it might be impractical to prevent cycles in the creation, it is
very possible to prevent the
user_id=trustee['id'],
password=trustee['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
token = r.result['token']
# This fails
self.assertThat(token['roles'], matche
Adding Nova to the bug report because it absolutely should not require a
specific version of the Keystone API to make things work. I suspect
that there is a workaround here, but the Keystone API and auth plugins
are designed to be versionless. This is a step backwards, and should be
treated as a
Its a feature. A trust is assumed to be the smallest chunk of delegated
roles possible to perform an action. If a user does not have all those
roles, the trustor should be informed immediately that the trust is no
longer viable.
** Changed in: keystone
Status: In Progress => Invalid
--
Public bug reported:
Create two roles. Make one imply the other (need curl for now)
$ openstack role delete identity_policy_manager
ERROR: openstack An unexpected error prevented the server from fulfilling your
request. (HTTP 500) (Request-ID: req-a2b89f42-ad24-4985-a599-33cc182d8f80)
Looki
Public bug reported:
Description of problem:
Testing multi domain support in RHOS. The deletion of this domain when write
enabled cleared the LDAP database entirely. Thankfully this was done in a lab,
because LDAP was a total loss.
Version-Release number of selected component (if applicable):
I think this is a Horizon bug, not Keystone. The stack trace is all
Horizon code.
I suspect it is a conflict between domain and project scoped token code
in Horizon
** Also affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a membe
So...this is a continuing Saga. The fix that went in for Keystone only
allows the V3 AP call to continue. However, there is currently no way
to call that API except for CURL.
Something like:
curl -X DELETE -H"X-Auth-Token:$TOKEN" -H "Content-type:
application/json"
$OS_AUTH_URL/projects/e9d
Reopening the issue against the Keystone server. The fix was not
sufficient, as it was just a workaround, and one that we can't apply via
the CLI.
The real fix requires avoiding the exception from the identity backend
when performing any assignment-backend calls.
** Changed in: keystone
S
Closing the Keystone server component again, as I just confirmed the
user-list error does not happen in this code base, and thus it is a new
bug and a regression. Will open a separate ticket for that.
** Changed in: keystone
Status: Confirmed => Fix Released
--
You received this bug notif
Reported in a downstream distribution that should have synced from this
code as still a bug. please reconfirm.
** Changed in: keystone
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenS
Public bug reported:
A recent change to encrypt credetials broke RDO/Tripleo deployments:
2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils
[req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36
fd71b607cfa84539bf0440915ea2d94b - default default] Either [fern
** Also affects: tripleo
Importance: Undecided
Status: New
** Changed in: tripleo
Status: New => Confirmed
** Changed in: keystone
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscr
fo:
Suggest setting notification_driver to either log or noop in
/etc/keystone/keystone.conf
** Affects: keystone
Importance: Undecided
Assignee: Adam Young (ayoung)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is sub
** Project changed: keystone => ceilometer
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1627094
Title:
Keystone overwhelms Ceilometer with Identity Events
Statu
Not a bugf, leave the wrapper in for SQL message reporting.
** Changed in: keystone
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1
forcing "admin somewhere is admin everywhere"
** Affects: keystone
Importance: High
Assignee: Adam Young (ayoung)
Status: New
** Changed in: keystone
Importance: Undecided => High
** Changed in: keystone
Assignee: (unassigned) => Adam Young (ayoung)
--
Y
It appears like this will do little to help the situation, and may in
fact make things worse. There is the rist that the description field
for a trust might be misleading, and I;d rather have people look at the
actual trustee field when determining whay a trust exists, and if it is
legitimate.
Si
Public bug reported:
While many people are still stuck on V2 tokens, we need a safe way to
map them to V3. If they default domain changes, the tokens will not be
properly converted. THe best that can be done now is to guess that the
domain_id is "default" and the name is "Default"
both these va
Default domain is a "forward compat" feature necessary to let V2
continue to work in a V3 aware keystone.
The default domain is a very important domain, and should be part of the
core configuration. Changing that on the fly will change the meaning of
the V2 tokens, and is not something to be don
** Also affects: glance
Importance: Undecided
Status: New
** Also affects: cinder
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/96869
** Changed in: keystone
Status: Invalid => New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1477373
Title:
No way to convert V2 tokens to V3 if domain id changes
Status in Key
The code is not moving to client after all. The code in the Server will
stand.
** Changed in: keystone
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/13
It might make sense to have Horizon limit login to users with the Member
or Admin roles only.
** Also affects: nova
Importance: Undecided
Status: New
** Changed in: nova
Assignee: (unassigned) => Adam Young (ayoung)
--
You received this bug notification because you are a mem
Since we are dropping support for Eventlet based deployments, continuing
to document them is counterproductive. Please switch over to using
Apache HTTPD.
** Changed in: keystone
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engine
Public bug reported:
V3 is not specifically rtied to either public or Admin in the specs, but
practically speaking, it is tied to admin;
When attempting to use the V3 api and the admin port is not exposed, the
followng happens:
$ echo $OS_AUTH_URL
https://hostname/v3
$ openstack server list
E
Public bug reported:
To minimize downtime, the conversion from persisted to ephemeral tokens
should happen in two steps. The first migrates tokens over to the
Fernet format, but will fall back to persisted store if the requested
token is not in Fernet format. The second removes persistence.
**
According to conversation in #openstack-keystone, reporter was running
this by hand using ipython. The migrations are not designed to run
multiple tiumes, and this error was not somthing we would see using the
proper migrate mechanism.
** Changed in: keystone
Status: New => Invalid
--
Y
Public bug reported:
After creating a new project and allocating some amount of resources, we
should be able to create a hierarchy of users like Project Manager (PM)
having complete view of the project usage, then PM should be able to
allocate resources to different sub-teams (like Dev, QA, Prod,
Nope. Not going to expose this just for testing. Use direct database
access if you want.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https:
Public bug reported:
We've seen an effect where setting the dfefault token handler to Fenet,
and depending on Revocation events breaks several tests. These tests
are supposed to track that a tokne comes back as invalid. However, what
actually happens is the admin users token is invalid, returnin
Public bug reported:
"When defining the URL for connecting to the LDAP server in the Keystone
configuration, looking for a way to specify multiple LDAP servers for
redundancy. For example if an AD domain controller were not available,
Keystone would try an alternate domain controller."
This is s
Public bug reported:
Spec states:
http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3
/identity-api-v3.rst#n1779
A user may explicitly request an unscoped token by setting
the "scope" value of the token request to the string "unscoped."
However the code actaully tests:
scope_
The issue is with configuring Nova. When I edited Nova's conf file so
that authe vesrion was unset, like this:
auth_version=
And restarted all the Nova services, it worked.
** Changed in: keystone
Importance: Critical => Medium
** Also affects: nova
Importance: Undecided
Status:
** No longer affects: keystone
** Summary changed:
- cannot use v3 token with v2 services
+ Nova cannot validate v3 token by default
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad
Public bug reported:
Mapping groups from REMOTE_USER_GROUPS (or comparable) via the rule:
"local": [
{
"group": {
"name": "{0}",
"domain": {"name": "Default"}
}
1 - 100 of 135 matches
Mail list logo
