Unrestricted AC Access Rules: "You must upgrade keystonemiddleware on all services"
Hey there, I'm interested in creating an unrestricted Application Credential (AC) which is still constrained by Access Rules. A use could be allowing admins to use automation to generate read-only ACs for various purposes. The AC for automatically generating other ACs would need to be unrestricted, but should still only have the minimal privileges required to create its children. However, when attempting this with multiple versions of keystone, including 2024.1, I get the following error in the keystone service log: ``` Attempted to use application credential access rules with a middleware that does not understand them. You must upgrade keystonemiddleware on all services that accept application credentials as an authentication method.: NoneType: None ``` A minimal way to reproduce this: 1. Install keystone according to https://docs.openstack.org/keystone/latest/install/keystone-install-ubuntu.h.... (I've also tested with keystone running in a virtualenv and in a kolla container.) 2. Generate a "parent" AC using the bootstrap admin: `openstack application credential create --max-width 120 --role admin --access-rules '[ { "path": "/v3/**", "method": "POST", "service": "identity" }, { "path": "/v3/**", "method": "GET", "service": "identity" } ]' --expiration '2024-07-31T23:59:59' --unrestricted test_unrestricted` (This gives expected output, including an AC id and secret.) 3. In another terminal, load the parent AC and then try to generate the child: `openstack application credential create --max-width 120 --role admin --access-rules '[ { "path": "/v3/**", "method": "GET", "service": "identity" } ]' --expiration '2024-07-31T23:59:59' test_read_only`. (This returns `Invalid application credential: Cannot create an application credential with unassigned role` in the client, as well as the earlier error about upgrading middleware in keystone service log.) I've tested that the parent/unrestricted AC *can* generate the child successfully when the parent does *not* have Access Rules. I didn't see anything about these errors or constraints when going through the application credential documentation (eg https://docs.openstack.org/keystone/latest/user/application_credentials.html), or in a web search, or in a search of the openstack-discuss archives. I may raise a bug report/feature request, but before I do that, I just wondered if I have likely overlooked some possible extra configuration or documentation which could explain what I've done wrong? Alternatively, if this were raised as a feature request, would it likely be supported, or would the functionality I'm imagining be too difficult or impossible to implement? Cheers, Tim
participants (1)
-
openstack@tr.id.au