| opendevreview | Hiromu Asahina proposed openstack/keystone-specs master: OAuth2.0 Client Credentials Grant Flow Support https://review.opendev.org/c/openstack/keystone-specs/+/813152 | 05:21 |
|---|---|---|
| *** dasm|off is now known as dasm | 13:30 | |
| *** dasm is now known as dasm|rover | 13:31 | |
| Muran | Hey. I ran into a bug in communication between octavia and keystone. I'm not sure where to file it or how we want to fix it as I don't have all the background. I have however tracked down where in code that it happens. It occurs if you try to add a terminated_https listener when you are authenticated using application credentials. What happens is that Octavia sends a token request to keystone with methods: token and | 14:06 |
| Muran | token.id set. In keystone, it dynamically adds application_credential as a method, then fails on a 500 error when trying to read application_credential['id'] from the payload. For me it makes little sense that keystone after it itself added application_credential to methods enforces that you use it. If the client, octavia in this case asks for "token" method. Shouldn't it be allowed to do so? | 14:06 |
| Muran | Octavia creates payload here: https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L87 | 14:07 |
| Muran | And here is where keystone adds application_credential to method and then failing when trying to read payload.application_credential.id https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206-L212 | 14:08 |
| Muran | I guess the main question is if it's ok for a client to authenticate using token ID that was created from an application secret. If that is the case, keystone code needs to be changed a bit. It's fine to add application_secret as method, but it should only us it if it actually receives said credentials in the payload. | 14:17 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string https://review.opendev.org/c/openstack/keystone/+/819477 | 14:57 |
| opendevreview | Merged openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string https://review.opendev.org/c/openstack/keystone/+/819477 | 20:23 |
| *** dasm|rover is now known as dasm|off | 21:47 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!