[octavia] Help with fix barbican client in octavia when use trust-scoped token
Hello!
I have error with terminated https loadbalancer, it described here: https://storyboard.openstack.org/#!/story/2007619
Could you please help with fix for barbican client? Thank you.
Hey,
It's not barbican client and issue, but how Octavia does create token out of application credentials.
We've also catched that issue and tried to solve it from keystone side [1], but seems that code refactoring is required. While proposed workaround for keystone kind of works, I guess it might cause more serious security concerns, as basically creating token from application credentials token seems to be never supported by keystone.
[1] https://bugs.launchpad.net/keystone/+bug/1959674
сб, 20 авг. 2022 г., 20:29 Ришат Азизов rishat.azizov@gmail.com:
Hello!
I have error with terminated https loadbalancer, it described here: https://storyboard.openstack.org/#!/story/2007619
Could you please help with fix for barbican client? Thank you.
Hi,
Can you please attach your traceback to the story?
Michael
On Sat, Aug 20, 2022 at 12:24 PM Dmitriy Rabotyagov noonedeadpunk@gmail.com wrote:
Hey,
It's not barbican client and issue, but how Octavia does create token out of application credentials.
We've also catched that issue and tried to solve it from keystone side [1], but seems that code refactoring is required. While proposed workaround for keystone kind of works, I guess it might cause more serious security concerns, as basically creating token from application credentials token seems to be never supported by keystone.
[1] https://bugs.launchpad.net/keystone/+bug/1959674
сб, 20 авг. 2022 г., 20:29 Ришат Азизов rishat.azizov@gmail.com:
Hello!
I have error with terminated https loadbalancer, it described here: https://storyboard.openstack.org/#!/story/2007619
Could you please help with fix for barbican client? Thank you.
Hello!
I added my logs to storyboard: https://storyboard.openstack.org/#!/story/2007619
Thanks.
пн, 22 авг. 2022 г. в 02:17, Michael Johnson johnsomor@gmail.com:
Hi,
Can you please attach your traceback to the story?
Michael
On Sat, Aug 20, 2022 at 12:24 PM Dmitriy Rabotyagov noonedeadpunk@gmail.com wrote:
Hey,
It's not barbican client and issue, but how Octavia does create token
out of application credentials.
We've also catched that issue and tried to solve it from keystone side
[1], but seems that code refactoring is required.
While proposed workaround for keystone kind of works, I guess it might
cause more serious security concerns, as basically creating token from application credentials token seems to be never supported by keystone.
[1] https://bugs.launchpad.net/keystone/+bug/1959674
сб, 20 авг. 2022 г., 20:29 Ришат Азизов rishat.azizov@gmail.com:
Hello!
I have error with terminated https loadbalancer, it described here:
https://storyboard.openstack.org/#!/story/2007619
Could you please help with fix for barbican client? Thank you.
participants (3)
-
Dmitriy Rabotyagov
-
Michael Johnson
-
Ришат Азизов