Reverting default keystone API to v2.0

Although keystone v2 has been deprecated, no services use v3 for authorization. So passing a v3 token_id to other services results in authorization errors. If the user logs into a domain other than "default" the user see only unauthorized errors. Currently, when logging into the "default" domain these authorization errors do not occur merely because of a bug in keystone that does not validate the token version. This will likely change some time in the non-distant future. Setting the keystone API version to v2.0 is the safest path for now. Not doing a full revert because the rest of the fixes the previous patch were valid and required. Closes-Bug: #1294396 Change-Id: I3583e729b5a006f9b7f5cbbe3388908c15de39ae
openstack-archive · Mar 18, 2014 · 7ff6236 · 7ff6236
1 parent aa79d1a
commit 7ff6236
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/openstack_auth/utils.py b/openstack_auth/utils.py
@@ -141,7 +141,7 @@ def is_safe_url(url, host=None):
 # Helper for figuring out keystone version
 # Implementation will change when API version discovery is available
 def get_keystone_version():
-    return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 3)
+    return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 2.0)
 
 
 def get_keystone_client():