0242c28d5f
As a result of fixing OSSA-2025-002, ec2tokens API in Keystone
now by default requires authentication.
The config section `[ec2authtoken]` is now expected to have
auth information for Heat to be able to use this API.
In multicloud configuration keystone auth credentials are
required for each cloud. These can be configured using the new clouds
option and the ``[ec2authtoken.{cloud}]`` sections.
NOTE:
Disables test_software_config.ParallelDeploymentsTest in
grenade. Should follow up to re-enable once fix has been
backported.
Related-Bug: #2119646
Change-Id: Ib41f76c1ba56005b6c4233424cca5768657a7686
Co-Authored-By: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
Co-Authored-By: Takashi Kajinami <kajinamit@oss.nttdata.com>
Signed-off-by: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
18 lines
741 B
YAML
18 lines
741 B
YAML
---
|
|
fixes:
|
|
- |
|
|
The Keystone v3 ec2token end point requires authenticated access. The Heat
|
|
ec2token filter now requires Keystone auth settings to be able to
|
|
verify EC2 credentials. For single cloud mode the ec2token filter will
|
|
look in the ``[ec2authtoken]`` section of the heat configuration for
|
|
keystone authentication settings.
|
|
|
|
In multicloud mode keystone auth settings must be supplied in configuration
|
|
file sections names ``[ec2authtoken.<name>]`` .
|
|
The ``[ec2authtoken] clouds`` option should be also configured to define
|
|
the list of names.
|
|
|
|
Note that ec2token request will be sent without authentication if
|
|
the legacy settings (``auth_uri`` and ``allowed_auth_uris``) are still
|
|
used.
|