OpenStack Identity (keystone)

  1. Series stein
  2. Bug #1843609
  3. Comment #5

Comment 5 for bug 1843609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/681833
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8f43b9cab00c86a455b2a9700b434e98b2e9c2d8
Submitter: Zuul
Branch: master

commit 8f43b9cab00c86a455b2a9700b434e98b2e9c2d8
Author: Lance Bragstad <email address hidden>
Date: Thu Sep 12 16:46:26 2019 +0000

    Make system tokens work with domain-specific drivers

    When calling certain group or user APIs, keystone logic would attempt
    to figure out the domain to scope responses to. This was specific to
    enabling domain-specific driver support, where each domain is backed
    by a different identity store. This functionality is turned off by
    default. Since system-scoped tokens are not associated to a domain
    (unlike project-scoped tokens or domain-scoped tokens), the logic to
    determine a domain from a system-scoped token was breaking and
    returning an erroneous HTTP 401 Unauthorized when system users
    attempted to list users or groups.

    This commit adds support for domain detection with system-scoped
    tokens.

    Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
    Closes-Bug: 1843609