← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #53464

[Bug 1567025] Re: Can't use TokenManager. authenticate() with publicurl

  Thread PreviousDate PreviousThread Next 
Is there a patch up for this? It was filed under the "wrong" project, so
the bots would not have been able to link a patch.

** Project changed: keystone => python-keystoneclient

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1567025

Title:
  Can't use TokenManager. authenticate() with publicurl

Status in python-keystoneclient:
  Triaged

Bug description:
  See attached example.py for sample code and context.

  Create a v2 client object:

  * Use publicurl as the auth_url endpoint
  * Use credentials that confer an admin role

  Call client.tokens.authenticate() using any valid token/tenant_id.

  The call fails when adminurl is unreachable.

  Expectation is that publicurl would be used as the auth_url endpoint,
  however ...

  From https://github.com/openstack/python-
  keystoneclient/blob/5a7f800e271695f21809d6251e91f6ac8e13ce23/keystoneclient/v2_0/tokens.py#L62-L69

   # NOTE(jamielennox): try doing a regular admin query first. If there is
   # no endpoint that can satisfy the request (eg an unscoped token) then
   # issue it against the auth_url.
   try:
       token_ref = self._post(*args, **kwargs)
   except exceptions.EndpointNotFound:
       kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE}

  Our keystone adminurl is intentionally on a private network and
  *unreachable* from where example.py is running (in a VM).

  After quite a while, an exception is raised
  (keystoneauth1.exceptions.ConnectFailure) and auth_url is never tried.

  Meanwhile, a direct API call, skipping python-keystoneclient, works
  fine:

  * POST to publicurl, /v2/tokens, from the same location/VM
  * Use X-Auth-Token of someone with an admin role
  * Pass in the same valid token/tenant_id as before.

  Additionally, a CLI call such as "nova list" (using the same
  credentials and conferred admin role) also works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python-keystoneclient/+bug/1567025/+subscriptions

References

  Thread PreviousDate PreviousThread Next