From 7ff623638dc36fc29e7fc643483509ce226b92f6 Mon Sep 17 00:00:00 2001 From: David Lyle Date: Tue, 18 Mar 2014 17:23:23 -0600 Subject: [PATCH] Reverting default keystone API to v2.0 Although keystone v2 has been deprecated, no services use v3 for authorization. So passing a v3 token_id to other services results in authorization errors. If the user logs into a domain other than "default" the user see only unauthorized errors. Currently, when logging into the "default" domain these authorization errors do not occur merely because of a bug in keystone that does not validate the token version. This will likely change some time in the non-distant future. Setting the keystone API version to v2.0 is the safest path for now. Not doing a full revert because the rest of the fixes the previous patch were valid and required. Closes-Bug: #1294396 Change-Id: I3583e729b5a006f9b7f5cbbe3388908c15de39ae --- openstack_auth/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py index 72cdc09..c749f42 100644 --- a/openstack_auth/utils.py +++ b/openstack_auth/utils.py @@ -141,7 +141,7 @@ def is_safe_url(url, host=None): # Helper for figuring out keystone version # Implementation will change when API version discovery is available def get_keystone_version(): - return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 3) + return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 2.0) def get_keystone_client():