From 1f56eb7680145a3c2e3227a189f982c17c50e717 Mon Sep 17 00:00:00 2001 From: Veronika Fisarova Date: Thu, 25 Jun 2026 09:50:24 +0200 Subject: [PATCH] Set service_type in [keystone_authtoken] for access rule validation Without service_type configured, keystonemiddleware cannot validate application credentials with custom access rules, causing HTTP 401 for end users. Closes: OSPRH-22365 Signed-off-by: Veronika Fisarova --- templates/nova/nova.conf | 1 + templates/placement/api/config/placement.conf | 1 + test/functional/nova/novaapi_controller_test.go | 3 ++- test/functional/placement/api_controller_test.go | 4 +++- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/templates/nova/nova.conf b/templates/nova/nova.conf index bbaa3231b..1c9ef4554 100644 --- a/templates/nova/nova.conf +++ b/templates/nova/nova.conf @@ -283,6 +283,7 @@ username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} {{ end }} region_name = {{ .openstack_region_name }} +service_type = compute # This is part of hardening related to CVE-2023-2088 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required # when enabled the service token user must have the service role to be considered valid. diff --git a/templates/placement/api/config/placement.conf b/templates/placement/api/config/placement.conf index 114e956a2..1c8f69685 100644 --- a/templates/placement/api/config/placement.conf +++ b/templates/placement/api/config/placement.conf @@ -33,6 +33,7 @@ project_name = service region_name = {{ .Region }} {{ end -}} interface = internal +service_type = placement [oslo_policy] policy_file=/etc/placement/policy.yaml diff --git a/test/functional/nova/novaapi_controller_test.go b/test/functional/nova/novaapi_controller_test.go index 96ce8d181..5000091c9 100644 --- a/test/functional/nova/novaapi_controller_test.go +++ b/test/functional/nova/novaapi_controller_test.go @@ -326,10 +326,11 @@ endpoint_service_type = compute`)) cfg, err := ini.Load([]byte(configData)) Expect(err).ShouldNot(HaveOccurred(), "Should be able to parse config as INI") - // Verify region_name in [keystone_authtoken] + // Verify region_name and service_type in [keystone_authtoken] section := cfg.Section("keystone_authtoken") Expect(section).ShouldNot(BeNil(), "Should find [keystone_authtoken] section") Expect(section.Key("region_name").String()).Should(Equal(testRegion)) + Expect(section.Key("service_type").String()).Should(Equal("compute")) // Verify region_name in [placement] section = cfg.Section("placement") diff --git a/test/functional/placement/api_controller_test.go b/test/functional/placement/api_controller_test.go index 1e0ec412d..5ff3d0a48 100644 --- a/test/functional/placement/api_controller_test.go +++ b/test/functional/placement/api_controller_test.go @@ -372,13 +372,15 @@ var _ = Describe("PlacementAPI controller", func() { cm := th.GetSecret(names.ConfigMapName) conf := string(cm.Data["placement.conf"]) - // Verify region_name is set in [keystone_authtoken] section + // Verify region_name and service_type are set in [keystone_authtoken] section // GetRegion() returns Status.Region, so check that Expect(keystoneAPI.Status.Region).ToNot(BeEmpty(), "KeystoneAPI should have a region set in status") // The region_name should appear in the [keystone_authtoken] section (before [oslo_policy]) Expect(conf).Should( MatchRegexp(fmt.Sprintf( `\[keystone_authtoken\][\s\S]*region_name = %s[\s\S]*\[oslo_policy\]`, keystoneAPI.Status.Region))) + Expect(conf).Should( + MatchRegexp(`\[keystone_authtoken\][\s\S]*service_type = placement[\s\S]*\[oslo_policy\]`)) }) It("creates service account, role and rolebindig", func() {