Skip to content

Commit 31edca4

Browse files
Deydra71openshift-merge-bot[bot]
authored andcommitted
Set service_type in [keystone_authtoken] for access rule validation
Without service_type configured, keystonemiddleware cannot validate application credentials with custom access rules, causing HTTP 401 for end users. Closes: OSPRH-22365 Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
1 parent b50a660 commit 31edca4

4 files changed

Lines changed: 7 additions & 2 deletions

File tree

templates/nova/nova.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,6 +283,7 @@ username = {{ .nova_keystone_user }}
283283
password = {{ .nova_keystone_password }}
284284
{{ end }}
285285
region_name = {{ .openstack_region_name }}
286+
service_type = compute
286287
# This is part of hardening related to CVE-2023-2088
287288
# https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required
288289
# when enabled the service token user must have the service role to be considered valid.

templates/placement/api/config/placement.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ project_name = service
3333
region_name = {{ .Region }}
3434
{{ end -}}
3535
interface = internal
36+
service_type = placement
3637

3738
[oslo_policy]
3839
policy_file=/etc/placement/policy.yaml

test/functional/nova/novaapi_controller_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -326,10 +326,11 @@ endpoint_service_type = compute`))
326326
cfg, err := ini.Load([]byte(configData))
327327
Expect(err).ShouldNot(HaveOccurred(), "Should be able to parse config as INI")
328328

329-
// Verify region_name in [keystone_authtoken]
329+
// Verify region_name and service_type in [keystone_authtoken]
330330
section := cfg.Section("keystone_authtoken")
331331
Expect(section).ShouldNot(BeNil(), "Should find [keystone_authtoken] section")
332332
Expect(section.Key("region_name").String()).Should(Equal(testRegion))
333+
Expect(section.Key("service_type").String()).Should(Equal("compute"))
333334

334335
// Verify region_name in [placement]
335336
section = cfg.Section("placement")

test/functional/placement/api_controller_test.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -372,13 +372,15 @@ var _ = Describe("PlacementAPI controller", func() {
372372
cm := th.GetSecret(names.ConfigMapName)
373373
conf := string(cm.Data["placement.conf"])
374374

375-
// Verify region_name is set in [keystone_authtoken] section
375+
// Verify region_name and service_type are set in [keystone_authtoken] section
376376
// GetRegion() returns Status.Region, so check that
377377
Expect(keystoneAPI.Status.Region).ToNot(BeEmpty(), "KeystoneAPI should have a region set in status")
378378
// The region_name should appear in the [keystone_authtoken] section (before [oslo_policy])
379379
Expect(conf).Should(
380380
MatchRegexp(fmt.Sprintf(
381381
`\[keystone_authtoken\][\s\S]*region_name = %s[\s\S]*\[oslo_policy\]`, keystoneAPI.Status.Region)))
382+
Expect(conf).Should(
383+
MatchRegexp(`\[keystone_authtoken\][\s\S]*service_type = placement[\s\S]*\[oslo_policy\]`))
382384
})
383385

384386
It("creates service account, role and rolebindig", func() {

0 commit comments

Comments
 (0)