Uploaded image for project: 'OpenStack as Infra'
  1. OpenStack as Infra
  2. OSASINFRA-3990

gophercloud: Add access rules support for application credentials

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • Upstream
    • None
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • ShiftStack Sprint 281

      This is related to this ORC [bug](https://github.com/k-orc/openstack-resource-controller/issues/596) in the [feature spec](https://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html) it is mentioned that:

      > 1. When requesting token validation, keystonemiddleware (or any 3rd party application that supports access rule enforcement) sets an Openstack-Identity-Access-Rules header with a version string as its value. Token validation for an application credential with a access rule list will only succeed if this header is present. The version string will allow us to safely extend this feature by invalidating tokens using the extended version in situations where keystonemiddleware only supports an older version of this feature.

      > 2. If there is no Openstack-Identity-Access-Rules header in the token validation request, token validation fails.

      here is an example usage with and without this flag:
      without:
      ```bash
      $ TOKEN=$(openstack token issue -c id -f value)
      $ curl -g -i -X GET -H "Accept: application/json" -H "X-Auth-Token: ${TOKEN}" -H "X-Subject-Token: ${TOKEN}" "https://mycloud.com:13000/v3/auth/tokens"
      HTTP/1.1 404 NOT FOUND
      date: Wed, 10 Dec 2025 16:49:55 GMT
      server: Apache
      content-length: 80
      vary: X-Auth-Token
      x-openstack-request-id: req-77b5fd64-8267-4038-88b7-23c77ea92c44
      content-type: application/json

      {"error":{"code":404,"message":"Failed to validate token","title":"Not Found"}}
      ```
      with:
      ```bash
      $ TOKEN=$(openstack token issue -c id -f value)
      $ curl -H "OpenStack-Identity-Access-Rules: 1" -H "Accept: application/json" -H "X-Auth-Token: ${TOKEN}" -H "X-Subject-Token: ${TOKEN}" "https://mycloud.com:13000/v3/auth/tokens" 2>/dev/null | jq .token.expires_at
      "2025-12-11T10:35:25.000000Z"
      ```

      When identifying to other services that are not keystone and are using keystone middleware you won't hit this issue as it is strictly set for all requests:
      https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_identity.py#L24
      https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_identity.py#L51

      This means that only for direct keystone request you would need to set it as it is already set for all middleware using services.

              eshulman Ella Shulman
              eshulman Ella Shulman
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: