yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1081221] Re: Keystone POST /tokens response does not contain all endpoints

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1081221@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Apr 2014 16:50:56 -0000
Reply-to: Bug 1081221 <1081221@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Thanks, Henrique!

** Changed in: keystone
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1081221

Title:
  Keystone POST /tokens response does not contain all endpoints

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  This scenario occurs under the following conditions:

  * A service of a given type (for example 'compute') is registered in keystone.
  * There are more than 1 endpoints in keystone for the associated service's type for a given region. For example there are 2 different endpoints in keystone, both for the compute service of the 'compute' type and both in the region 'RegionOne'.

  In the above scenario a response from the POST /tokens API only
  returns a single endpoint per service type (per region). So for
  example in the above scenario my endpoint catalog in the POST /tokens
  response would only include 1 'compute' service endpoint -- the other
  is not returned.

  Note that in this scenario you can still use the admin API for GET
  /services -- this will return all endpoints regardless of if there are
  multiple endpoints for a single service.

  See keystone.catalog.backend.sql.get_catalog()

  To repo use the SQL catalog driver:
  * Define a service of type 'compute'
  * Define 2 different endpoints which contain different urls but both endpoint definitions are for the service created in the previous step. Both of these endpoints should be defined using the same region.
  * Use POST /tokens on keystone to to authenticate.
  * Inspect the response token.
  ==> You will see it only includes 1 endpoint definition for the 'compute' service.

  Example from my system using MySQL backed catalog:

  (1) My keystone.service table has the following service defined:

  | d0912023a0304d5191ca95d59b19c8e0 | compute          |
  {"description": "Nova Compute Service", "name": "nova"}

  (2) My keystone.endpoint table has the following endpoints associated
  with that service:

  | d2299650573a46cf8ff7eebb6f7871dc | RegionOne    |
  d0912023a0304d5191ca95d59b19c8e0 | {"adminurl":
  "http://localhost:8774/v2/%(tenant_id)s", "internalurl":
  "http://localhost:8774/v2/%(tenant_id)s", "publicurl":
  "http://localhost:8774/v2/%(tenant_id)s"} |

  | 80d2546f347d41f8b10a313f1bbf4726 | RegionOne    |
  d0912023a0304d5191ca95d59b19c8e0 |
  {"publicurl":"http://somehost:8992/v2"}
  |

  | 27aeb73ff319405f946fe1fff785b3fb | us-southeast |
  d0912023a0304d5191ca95d59b19c8e0 | {"adminurl": "http://us-
  se.ibm.com:4302/v2.0", "internalurl": "http://us-
  se.ibm.com:4301/v2.0", "publicurl": "http://us-se.ibm.com:4300/v2.0"}
  |

  (3) A POST /tokens response to obtain an admin user scoped token
  contains the following endpoints for 'compute':

  
  "endpoints":[
              {
                  "adminURL":"http://localhost:8774/v2/6f8945f2d47f4abea149b7a0176b12a8";,
                  "region":"RegionOne",
                  "publicURL":"http://localhost:8774/v2/6f8945f2d47f4abea149b7a0176b12a8";,
                  "internalURL":"http://localhost:8774/v2/6f8945f2d47f4abea149b7a0176b12a8";,
                  "id":"d2299650573a46cf8ff7eebb6f7871dc"
              },
              {
                  "adminURL":"http://us-se.ibm.com:4302/v2.0";,
                  "region":"us-southeast",
                  "publicURL":"http://us-se.ibm.com:4300/v2.0";,
                  "internalURL":"http://us-se.ibm.com:4301/v2.0";,
                  "id":"27aeb73ff319405f946fe1fff785b3fb"
              }
          ],
      "type":"compute",
      "name":"nova"
  },

  
  As shown in the JSON snippet below, only 1 of the RegionOne compute endpoints is in the token's catalog.

  
  Additional Notes:
  * I don't believe this scenario is valid using the templated driver as it appears the template format is not robust enough to allow you to define multiple endpoint per service.. I could be wrong, but IMO something like SQL is more realistic anyway.
  * There is a similar issue here if you try to define multiple services of the same type (for example 'compute') but each service having its own name and description. In this case you only get 1 of the services since the catalog is indexed by region/type and hence you get at most 1 service of a given type per region.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1081221/+subscriptions