8f43b9cab0
When calling certain group or user APIs, keystone logic would attempt to figure out the domain to scope responses to. This was specific to enabling domain-specific driver support, where each domain is backed by a different identity store. This functionality is turned off by default. Since system-scoped tokens are not associated to a domain (unlike project-scoped tokens or domain-scoped tokens), the logic to determine a domain from a system-scoped token was breaking and returning an erroneous HTTP 401 Unauthorized when system users attempted to list users or groups. This commit adds support for domain detection with system-scoped tokens. Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077 Closes-Bug: 1843609
10 lines
438 B
YAML
10 lines
438 B
YAML
---
|
|
fixes:
|
|
- |
|
|
[`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`]
|
|
Fixed an issue where system-scoped tokens couldn't be used to list users
|
|
and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf
|
|
[identity] domain_specific_drivers_enabled=True`` and the API would
|
|
return an ``HTTP 401 Unauthorized``. These APIs now recognize
|
|
system-scoped tokens when using domain-specific drivers.
|