While building my own OpenStack cloud on physical servers I realized that Keystone uses a temporary authorization token in the Create the service entity and API endpoint and Create projects, users, and roles steps.
The Verify operation step makes reference to removing this mechanism however my current devstack installations have not done this.
To verify this I use the SERVICE_TOKEN as defined in my devstack/local.conf and the Keystone Admin URL.
$ openstack --os-token=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --os-url=http://controller:35357/v2.0 user list +----------------------------------+----------------------------------+ | ID | Name | +----------------------------------+----------------------------------+ | 554209509f5b47e286e0379bcbf66762 | admin | | 59ac0457a80d449c9dac3b66848f2b5b | demo | | 8aab962698f9460692efb8d3aab35886 | verify_tempest_config-1304647972 | | 8b602467cd9045888687987067cbd3f6 | alt_demo | | a134c3b33e94475fb5398643dd816053 | glance | | c68c68579ec0437094a14dfbc4728224 | cinder | | e65bd34ca85a429ea5c56bf980f77d67 | nova | +----------------------------------+----------------------------------+
Removing the configuration settings as documented from /etc/keystone/keystone-paste.ini as documented DOES NOT disable this level of access.
NOTE: This edit removes the admin_token_auth option from the pipeline setting in the [pipeline:public_api], [pipeline:admin_api] and [pipeline:api_v3] sections.
$ sudo sed -ie "s/ admin_token_auth / /" /etc/keystone/keystone-paste.ini
$ openstack --os-token=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --os-url=http://controller:35357/v2.0 user list +----------------------------------+----------------------------------+ | ID | Name | +----------------------------------+----------------------------------+ | 554209509f5b47e286e0379bcbf66762 | admin | | 59ac0457a80d449c9dac3b66848f2b5b | demo | | 8aab962698f9460692efb8d3aab35886 | verify_tempest_config-1304647972 | | 8b602467cd9045888687987067cbd3f6 | alt_demo | | a134c3b33e94475fb5398643dd816053 | glance | | c68c68579ec0437094a14dfbc4728224 | cinder | | e65bd34ca85a429ea5c56bf980f77d67 | nova | +----------------------------------+----------------------------------+
An additional (and not presently documented step) of restarting apache is needed to invalidate this access.
$ sudo service apache2 restart
$ openstack --os-token=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee --os-url=http://controller:35357/v2.0 user list ERROR: openstack Could not find token: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-617961b7-012a-4d61-bdfb-aa738b8f788f)
The results for the command as shown can be produced by using the user/password credentials with the Keystone public URL.
$ openstack --os-username=admin --os-password=passwd --os-project-name=admin --os-auth-url=http://localhost:5000/ user list +----------------------------------+----------------------------------+ | ID | Name | +----------------------------------+----------------------------------+ | 554209509f5b47e286e0379bcbf66762 | admin | | 59ac0457a80d449c9dac3b66848f2b5b | demo | | 8aab962698f9460692efb8d3aab35886 | verify_tempest_config-1304647972 | | 8b602467cd9045888687987067cbd3f6 | alt_demo | | a134c3b33e94475fb5398643dd816053 | glance | | c68c68579ec0437094a14dfbc4728224 | cinder | | e65bd34ca85a429ea5c56bf980f77d67 | nova | +----------------------------------+----------------------------------+