yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1661503] [NEW] If public_endpoint is set, the first call will be always public endpoint

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Yoshi Kadokawa <yoshi.kadokawa@xxxxxxxxxxxxx>
Date: Fri, 03 Feb 2017 06:21:03 -0000
Reply-to: Bug 1661503 <1661503@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I have setup a keystone service(Mitaka) on ubuntu,
and it seems that the first call will always be to keystone's public api url,
when you have set "public_endpoint" in keystone.conf.

For example, when I do the following openstack commands, I always get
the following error.

$ubuntu@client:~$ openstack token issue
Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens

The keystone's endpoint are like this:
public:   http://10.12.2.2:5000/fuga/v3 
admin:    http://10.12.1.2:35357/fuga/v3
internal: http://10.12.3.2:5000/fuga/v3 

openstack client is installed in a client node, which is seperate to keystone node,
and this client node has no network access to public api network.
So if accessing to public api, this is expected, but I have set the env variables like this,

ubuntu@client:~$ env | grep OS_
OS_USER_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=openstack
OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
OS_USERNAME=admin
OS_INTERFACE=admin
OS_PROJECT_DOMAIN_NAME=default

Therefore, my expectation is that api access goes only through admin url.
I have tried also with internal api url, but get the same error.

And of course if the client node has public api network access, the openstack client worked perfectly.
Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.

According to this:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
"public" string is given, and here:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
the string is being combined with "_endpoint", which will become "public_endpoint",
and if the url is set, this public url will be the initial access.


I have attached some info,
- /etc/keystone/keystone.conf
- /etc/apache2/sites-enabled/wsgi-keystone.conf
- output with debug option

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "debugoutput-openstackclient.txt"
   https://bugs.launchpad.net/bugs/1661503/+attachment/4812390/+files/debugoutput-openstackclient.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1661503

Title:
  If public_endpoint is set, the first call will be always public
  endpoint

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have setup a keystone service(Mitaka) on ubuntu,
  and it seems that the first call will always be to keystone's public api url,
  when you have set "public_endpoint" in keystone.conf.

  For example, when I do the following openstack commands, I always get
  the following error.

  $ubuntu@client:~$ openstack token issue
  Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens

  The keystone's endpoint are like this:
  public:   http://10.12.2.2:5000/fuga/v3 
  admin:    http://10.12.1.2:35357/fuga/v3
  internal: http://10.12.3.2:5000/fuga/v3 

  openstack client is installed in a client node, which is seperate to keystone node,
  and this client node has no network access to public api network.
  So if accessing to public api, this is expected, but I have set the env variables like this,

  ubuntu@client:~$ env | grep OS_
  OS_USER_DOMAIN_NAME=default
  OS_PROJECT_NAME=admin
  OS_IDENTITY_API_VERSION=3
  OS_PASSWORD=openstack
  OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
  OS_USERNAME=admin
  OS_INTERFACE=admin
  OS_PROJECT_DOMAIN_NAME=default

  Therefore, my expectation is that api access goes only through admin url.
  I have tried also with internal api url, but get the same error.

  And of course if the client node has public api network access, the openstack client worked perfectly.
  Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.

  According to this:
  https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
  "public" string is given, and here:
  https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
  the string is being combined with "_endpoint", which will become "public_endpoint",
  and if the url is set, this public url will be the initial access.

  
  I have attached some info,
  - /etc/keystone/keystone.conf
  - /etc/apache2/sites-enabled/wsgi-keystone.conf
  - output with debug option

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1661503/+subscriptions
Follow ups

[Bug 1661503] Re: If public_endpoint is set, the first call will be always public endpoint
From: Lance Bragstad, 2017-07-20