← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #37211

[Bug 1488347] Re: Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware

  Thread PreviousDate PreviousThread Next 
A related conversation is occurring on the mailing list [1]. It sounds
like this is a regression with the introduction of auth plugins to
keystonemiddleware (Jamie, correct me if I'm wrong), so you might want
to try using an older version of keystonemiddleware as a workaround.

[1]: http://lists.openstack.org/pipermail/openstack-
dev/2015-August/072521.html

** Project changed: keystone => keystonemiddleware

** Changed in: keystonemiddleware
   Importance: Undecided => Medium

** Changed in: keystonemiddleware
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1488347

Title:
  Can't specify identity endpoint for token validation among several
  keystone servers in  keystonemiddleware

Status in keystonemiddleware:
  Confirmed

Bug description:
  Issue: Can't specify identity endpoint among several keystone servers
  in  keystonemiddleware

  A prototype was executed to verify that KeyStone fernet token can work
  in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack
  regions): https://etherpad.opnfv.org/p/multisite_identity_management.

  the requirement is "a user should, using a single authentication point
  be able to manage virtual resources spread over multiple OpenStack
  regions"

  We have two regions: Kista and Solna, each one with KeyStone server
  installed, these two keystone servers will have MySql cluster as the
  backend, and the master MySql cluster in Kista, the slave MySql
  cluster in Solna  which will be configured for aync-replication from
  the Kista MySql cluster, therefore the data in KeyStone database.

  root@51fa2177d59d:~# openstack endpoint list
  +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
  | ID                               | Region | Service Name | Service Type | Enabled | Interface | URL                      |
  +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
  | 09977a67a5fd4231bf54bfdbfc311b4e | Solna  | keystone     | identity     | True    | internal  | http://172.17.0.98:5000  |
  | 18389f1ff42640cf905351a7f9b8a6f7 | Kista  | glance       | image        | True    | internal  | http://172.17.0.41:9292  |
  | 3bd662e362e24f45a9db2b77ad0682bb | Solna  | glance       | image        | True    | internal  | http://172.17.0.119:9292 |
  | 425b14d499264aa1bad8170a99afce88 | Kista  | keystone     | identity     | True    | admin     | http://172.17.0.36:35357 |
  | 60a02a99078642d0974843323bbb8836 | Solna  | glance       | image        | True    | public    | http://172.17.0.119:9292 |
  | 712d42d06ade4fedb8820e6f6ed33574 | Kista  | glance       | image        | True    | public    | http://172.17.0.41:9292  |
  | 8000a62a8406437dad4759960bad837f | Kista  | keystone     | identity     | True    | public    | http://172.17.0.36:5000  |
  | a7ec590712364e9f876f0b82d1879a99 | Kista  | keystone     | identity     | True    | internal  | http://172.17.0.36:5000  |
  | b253565ee000417ab9b3d7ab3f4b4d48 | Solna  | keystone     | identity     | True    | admin     | http://172.17.0.98:35357 |
  | bf9d05de9be64f5bb886959eb6bb367d | Solna  | glance       | image        | True    | admin     | http://172.17.0.119:9292 |
  | d1cb2f7d7d594199909b14a0004f37fe | Kista  | glance       | image        | True    | admin     | http://172.17.0.41:9292  |
  | eab9fbcb129741728bc72f36b72e27e2 | Solna  | keystone     | identity     | True    | public    | http://172.17.0.98:5000  |
  +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+

  Even the glance in Solna is configured with Solna KeyStone server for
  the fernet token validation locally, the token validation request was
  still routed to Kista KeyStone, it doesn't work as expected.

  The following dock describe the issue in detail:
  https://docs.google.com/document/d/1pvYWQprRH3jnzX2j-
  zQwAErdPWg9zwkguSyLx1EBKas/edit

  And this doc provides a patch to show how to make the configuration
  item being in effect for token validation locally:
  https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit#

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1488347/+subscriptions

References

  Thread PreviousDate PreviousThread Next