[openstack-dev] [keystone] Usage of trusts with v2.0 authentication

Steven Hardy shardy at redhat.com
Tue Feb 9 17:27:26 UTC 2016

On Tue, Feb 09, 2016 at 11:06:10AM -0600, Lance Bragstad wrote:
>    When trusts were implemented, they were designed to work as an extension
>    under the version 3 API. The implementation didn't prevent the use of a
>    trust to authenticate against version 2.0, which was never officially
>    documented in the v2.0 API docs.
>    The keystone team is curious if there is anyone creating trusts using v3
>    and then using them against version 2.0. If not, we'd like to
>    remove/deprecate support for that case in v2.0. If so, then we'll have to
>    add official documentation for trusts against v2.0 and incorporate that
>    case into fernet.

Heat has been using trusts internally for a long time, but until very
recently, almost all installation methods for OpenStack resulted in all
services having v2.0 versioned endpoints.

Does the auth_token middleware now always use v3 by default, even when all
the keystone endpoints are versioned to v2.0 (still very common IME)?

IIRC we relied on the v2.0 behavior you reference when we first introduced
our trusts usage back in 2013, but it may be that auth_token version
discovery now means all services are hitting v3 even with v2.0 endpoints
in the catalog, in which case I guess this may be OK (probably something to
test tho).

It'd be good to confirm such mixed environments will continue to function,
otherwise this might end up a disruptive break in backwards compatibility.



More information about the OpenStack-dev mailing list