I'm invalidating the bug because this is due to a misconfiguration. API-
PASTE.INI for nova, glance, cinder and neutron servvices should have the
following entry in order to be capable to validate V3 tokens:
[filter:authtoken]
auth_version = v3.0
In case of this configuration does not exist, the keystoneclient
middlware auth_token will prioritize v2.0, causing the problem when v3
is enabled.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1249462
Title:
Keystone V3 Token validation is not working for non-Default domain
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
I was not allowed to log in horizon with an user from a non-Default
domain after configuring horizon to work with V3 indentify version and
multi-domains as well as enabling keystone V3 in endpoint catalogs.
Taking a look at keystone code, I noticed
keystone/token/controllers.py validate_token method is harcoded to
validate using keystonve V2, which does not accept tokens for non-
default Domain:
@controller.protected()
def validate_token(self, context, token_id):
"""Check that a token is valid.
Optionally, also ensure that it is owned by a specific tenant.
Returns metadata about the token along any associated roles.
"""
belongs_to = context['query_string'].get('belongsTo')
return self.token_provider_api.validate_v2_token(token_id,
belongs_to)
This is also noticed in the methods:
* authenticate(that is calling issue_v2_token() hardcoded)
* validate_token_head( that is calling check_v2_token() hardcoded)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1249462/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
